Tightening portal security

Currently, Unwired Accelerator does not encrypt the user name and password used to log in to the RDBMS server containing the portal database tables. If anyone knows the database user name and password, they can use ISQL to access the database tables directly. To safeguard portal security, you can:

• Change the DBA password.

• Optionally create a whole new database user to own the portal database.

• Update the global.properties.xml files with the new database connection information.

• Limit access to the global.properties.xml file, so that only appropriate people can view it and see the passwords.

• Change the password in the server.xml file, and limit access so that only appropriate people can view it and see the passwords.

Changing the password, and optionally the PortalDB table owner

The simplest safeguard is to change the database password, using the ISQL GUI. The ISQL GUI requires the jConnect JDBC driver, which is packaged separately under the SYBASE\tomcat\common\lib directory.

Optionally, another safeguard is to create a custom database user to own the portal database tables, rather than using the dba user (ASA) or the sa user (Adaptive Server). This prevents unauthorized users from using ISQL directly into your database to look at PortalDB tables. If you create the custom database owner, also change the default database user name found in global.properties.xml. Coordinate these changes between the PortalDB and the global.properties.xml file.

1. From the command line, navigate to the following directory:

   cd SYBASE\asa\java

2. Access isql using the command that follows. The command adds the jConnect JDBC driver to the class path.

   java -classpath ..\..\tomcat\common\lib\ jconn2.jar;jisql.jar com.sybase.jisql.Jisql

   The jisql login screen displays.

3. Log in, and change the dba or sa password from the defaults (“SQL” for ASA and “  ” for Adaptive Server).

   // Change the password. sp_password <oldpassword>, <newpassowrd>

4. Optionally, use isql to create a new database user in the portal database and make this user the owner of PortalDB. Here is the input using isql:

   • For ASA:

     // Create a user portalowner/portalowner.
     
     GRANT CONNECT TO portalowner IDENTIFIED BY portalowner
     go
     
     // Change the DBA password.
     
     GRANT CONNECT TO DBA IDENTIFIED BY <newpassword>
     go
     
     // Make the “dba” account a group
     
     GRANT GROUP to DBA
     
     // Make the portalowner a memeber of the group, enabling portalowner
     // to access the tables/views of the dtabase without having to prefix
     // everytning with “dba.”
     
     GRANT MEMBERSHIP IN GROUP DBA TO portalowner
     
     

   • For Adaptive Server:

     // Create a user portalowner/portalowner whose default database
     // is the portaldatabase.
     
     sp_addlogin portalowner, portalowner, portaldatabase
     go
     
     // Make this user the owner of portaldatabase.
     
     use portaldatabase
     go
     
     sp_changedbowner portalowner, true
     go
     
     // Change the DBA password.
     
     sp_password <oldpassword>, <newpassowrd>
     
     

5. Open the global.properties.xml file in a text editor, and search for the data pool entry you are using, either op_portal_asa (for ASA) or op_portal_ase (for Adaptive Server).

6. Change the database user name and password entries in the data pool entry, from the default to the values you established in “Changing the password, and optionally the PortalDB table owner”.

   • For ASA:

     <DataPool name="op_portal_asa"
           class="com.onepage.db.DbConnectionBroker"
           driver="com.sybase.jdbc2.jdbc.SybDriver"
           url="jdbc:sybase:Tds:hostname:port?ServiceName=
              portaldatabase"
           user="portalowner"
           password="newpassword"
           password_encrypted="false"
           minConnections="1"
           maxConnections="50"
           unusedtimer="360"
           checkouttimer="60"
           reuse="30"
           debug="true" />
     

   • For Adaptive Server:

     <DataPool name="op_portal_ase"
          class="com.onepage.db.DbConnectionBroker"
          driver="com.sybase.jdbc2.jdbc.SybDriver"
          url="jdbc:sybase:Tds:hostname:port/portaldatabase?
               IS_CLOSED_TEST=INTERNAL"
          user="portalowner"
          password="newpassword"
          password_encrypted="false"
          minConnections="1"
          maxConnections="50"
          unusedtimer="360"
          checkouttimer="60"
          reuse="30"
          debug="false" />
     

   See the “Database property-specific parameters” section for information about user and password in the op_portal_asa and op_portal_ase data pool sections.

7. Optionally, encrypt the password in the global.properties.xml file using the encode_passwd.bat (Windows) or encode_passwd.sh (UNIX) utility:

   1. If you are using Tomcat, navigate to:

      SYBASE\tomcat\webapps\onepage\config

      For EAServer:

      SYBASE\EAServer\Repository\WebApplication\onepage\config

   2. Run the encode_passwd utility with the current password, for example:

      encode_passwd.bat password
      

      An encrypted password displays on the window, for example:

      990990D99ED8DFFDDFFDDFFDDFFDDFFDDFFDDFFD
      

   3. In global.properties.xml, make these changes:

      • password=” “ – copy the encrypted password, and paste it into the password attribute; for example:

        password="990990D99ED8DFFDDFFDDFFDDFFDDFFDDFFDDFFD"
        

      • password_encrypted=”false” – change this value to true.

      WARNING! Keep in mind that there is no comparable step for encrypting the password in the server.xml file.

8. Save and close the global.properties.xml file.

Limiting global.properties.xml access to the portal server owner

Another safeguard is to make the global.properties.xml file readable only by the computer user the portal server (Tomcat) runs in.

1. Make the global.properties.xml file readable only by the computer user for the portal server.

   • If you are using Tomcat:

     From Windows Explorer, navigate to SYBASE\tomcat\ webapps\onepage\config, right-click the global.properties.xml file, and choose Properties.

     For EAServer:

     SYBASE\EAServer\Repository\WebApplication\onepage\config

     Select the Security tab and:

     • In the top window, add the user/group that will be running the portal, and grant them Full Control on the file.

     • Click Everyone, unselect the “Allow inheritable permissions” check box and click the Deny check box next to Full Control.

     This prevents anyone but the specified users from reading the file and seeing the password.

   • On UNIX:

     If you run the portal as the “root” user, issue these commands to make global.properties.xml owned by root, and readable only by root:

     % su >chown root global.properties.xml >chmod 400 global.properties.xml >exit

2. Modify database account information in the server.xml file, and limit access to the file.

Modifying database account information in server.xml

As a final safeguard, modify the database account information in the server.xml file, then limit access to the server.xml file as you did in the preceding procedure.

These instructions are for Tomcat. If you are using EAServer, use EAServer Manager to open the folder of PortalDB connection pools, and edit the database account information.

1. In Windows Explorer, navigate to the following directory:

   cd SYBASE\tomcat\conf

2. In a text editor, open server.xml.

3. Search for “Global JNDI resources.” This section defines a Java Naming and Directory Interface (JNDI) connection pool to the PortalDB. The XML looks like:

   <!-- Global JNDI resources -->  <GlobalNamingResources>  <Resource name="jdbc/portaldb" auth="Container"      type="javax.sql.DataSource"/>  <ResourceParams name="jdbc/portaldb">   <parameter>    <name>driverClassName</name>    <value>com.sybase.jdbc2.jdbc.SybDriver</value>   </parameter>   <parameter>    <name>url</name>    <value>jdbc:sybase:Tds:localhost:4747?ServiceName=      portaldatabase</value>   </parameter>   <parameter>    <name>username</name>    <value>dba</value>   </parameter>   <parameter>    <name>password</name>    <value>SQL</value>   </parameter>

4. Change the user name and password parameters to the new database user owner and password that you set up.

5. Save and close the server.xml file.

6. Make the server.xml file readable only by the computer user for the portal server (Tomcat).

   • On Windows:

     From Windows Explorer, navigate to SYBASE\tomcat\ conf, right-click the server.xml file, and choose Properties.

     Select the Security tab and:

     • In the top window, add the user/group that will be running the portal, and grant them Full Control on the file

     • Click Everyone, unselect the “Allow inheritable permissions” check box and click the Deny check box next to Full Control.

     This prevents anyone but the specified users from reading the file and seeing the password.

   • On UNIX:

     If you run the portal as the “root” user, issue the following commands to make server.xml owned by root, and readable only by root:

     % su >chown root server.xml >chmod 400 server.xml >exit

7. Restart the application server to apply the changes you made to global.properties.xml and server.xml.

Copyright © 2005. Sybase Inc. All rights reserved.

View this book as PDF