NIAGARA 3.7 AND NEW SECURITY FEATURES Bill Smith August, 2012 © Tridium 2012 3.5 and 3.6 Security Patch Highlights • Blacklisting of critical files • Default Category Configuration for new stations • No blank passwords • Strong passwords enabled by default • Program objects now require super user privileges to install SSL with 3.6 and Earlier • The following data regarding SSL for 3.6 and earlier is available on Niagara Central by perform a search for “Installing a Signed Cert” Installing the TKS Provider • • • • Download the Tks Provider jar: TridiumProvider.jar Install the jar into the lib/ext directory of your chosen JRE. DO NOT INSTALL INTO THE NIAGARA JRE! If you have previously installed StandaloneTksProvider.jar, delete it from the lib/ext directory!! Add the following line to the list in lib/security/java.security file in your JRE. security.provider.11=com.tridium.crypto.TksProvider • Make sure the number after "security.provider." is sequential Generate Key Pair for Certificate Request • • • • Open a command prompt and make sure that jre/bin is in your PATH. Go to the security directory for your Niagara installation. Rename the existing ssl.tks file to ssl.tks.orig as a backup. Run keytool with the following command: keytool -genkey -alias tridium -keystore ssl.tks -storepass tridium -storetype TKS -keyalg RSA -keysize 2048 • • • • • • It may be necessary to adjust the -keyalg and -keysize arguments for the Certificate Authority you intend to use. The alias IMPORTANT: When prompted for your first and last name, enter the base domain name for the dns entry for your server: ex. tridium.com Answer the remaining questions as accurately as possible. When prompted to enter a password for the key pair, just hit enter to use the keystore password. Make a copy of the new ssl.tks to ssl.tks.new as a backup. Generate the Certificate Request • Now that a key pair has been generated, create the cert request with the following command: keytool -genkey -alias tridium -keystore ssl.tks -storepass tridium -storetype TKS -keyalg RSA -keysize 2048 • A new file called certreq.cer has been created. This file should be submitted to your Certificate Authority along with any other information that they require. Install Signed Certificate • When the CA has completed the signing process, you will receive an email or file that contains something like : -----BEGIN CERTIFICATE----MIIFUTCCBDmgAwIBAgIQdYL06pVxhgnBQNHptRI6NzANBgkqhkiG9w0BAQUFADCB yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl cnZlciBDQSAtIEcyMB4XDTExMDUxMzAwMDAwMFoXDTExMDYxMjIzNTk1OVowgakx CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTERMA8GA1UEBxQIUmljaG1v bmQxEjAQBgNVBAoUCUhvbmV5d2VsbDEQMA4GA1UECxQHVHJpZGl1bTE6MDgGA1UE CxQxVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYSAo YykwNTESMBAGA1UEAxQJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDcGyBUtgqRiNNQ4bdeDSGZ3oH4AiclGw5TYW5aPEkHZqvXmHwdLHSKqMme X2FnqPbw2XCwwwcFMCKD9LT6glAIvGpnDSsoDEdWAG5W7YujM1Bp53uuziUpBWV6 g8ko81K6IoRQ/PnljGUWkOXqCJuP2SxPsUxiS2Hn966m6nruswIDAQABo4IB0zCC Ac8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwQwYDVR0fBDwwOjA4oDagNIYyaHR0 cDovL1NWUlRyaWFsLUcyLWNybC52ZXJpc2lnbi5jb20vU1ZSVHJpYWxHMi5jcmww SgYDVR0gBEMwQTA/BgpghkgBhvhFAQcVMDEwLwYIKwYBBQUHAgEWI2h0dHBzOi8v d3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjAfBgNVHSMEGDAWgBQoFxOKvdaitdwGLLe2jtoQZmBu5TB0Bggr BgEFBQcBAQRoMGYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNv bTA+BggrBgEFBQcwAoYyaHR0cDovL1NWUlRyaWFsLUcyLWFpYS52ZXJpc2lnbi5j b20vU1ZSVHJpYWxHMi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1h Z2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0 cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUA A4IBAQCLmDayf1WCyO3bRBfy5EqF314Swj0RbX6sEWq+413R72KpUwMucK5ugo56 o7QlMl5vSMZdm70vjt6jiSnBPWUUYxggwP1ri565DuuRNYcjhdA/Lz7Aj+x2FLOx k9nwKt9oehPproEuMIJM/4NbijKOWNDndLOquuokITeL5Rp2s8p7lF0mfBYB4FTY cO+q0sbXZxN4swHSvf4RcfbC4xMHsenA86m5E6NuLlJshz3h5Yr4oASR2btm7htK myEslcmph/HcpdBAaTguhGvvqkCytc4Bry5IGedPgYgZStIudA1PdkeUtC5/mvy0 ctI785MRsEhTCsmryqIVrYrscYb8 -----END CERTIFICATE----- Install Signed Certificate (continued) • • • • • • Save that section to a file, ex. signedcert.cer and put it in the same directory as your ssl.tks. If intermediate certs have also been provided, save them to files as well. Documentation with your signed cert should provide you with a reference to the root certificate used to sign the chain. Download this root cert and save it to a file. With a text editor, create a new file and copy and paste the contents of each cert file into the new one with the signed cert first, then the intermediate cert(s), and last the root (CA) cert . Save this to a file called something like certchain.cer. Run the following command: (This MUST be done on the same keystore that was used to generate the initial CSR.) keytool -importcert -trustcacerts -file certchain.cer keystore ssl.tks -storepass tridium -storetype TKS -alias tridium • You may be promped with something like "... is not trusted. Install reply anyway?". Answer "yes". Check the Keystore • Dump the contents of the keystore with the following command: keytool -list -alias tridium -keystore ssl.tks -storepass tridium -storetype TKS -v • The first few lines should contain something like: Alias name: tridium Creation date: Jul 31, 2012 Entry type: PrivateKeyEntry • • Verify that this is PrivateKeyEntry. The next thing to look at is the first cert. Look for the following lines: Certificate[1]: Owner: CN=foo.com, OU=engineering, O=tridium, L=richmond, ST=virginia, C=us Issuer: C=us, ST=virginia, L=richmond, O=tridium, OU=engineering, CN=intermediateca • • Verify that the owner is the end certificate that you had signed. Look through each subsequent certificate to make sure the owner is the same as the issuer on the previous certificate. Some Notes • The signed cert that you installed will only validate correctly for the domain that it was created. • Your Certificate Authority may have other requirements and instructions and should be able to assist you with any trouble. • The certificate chain must be installed into the keystore that contains the matching private key entry. 3.7 SSL Features • • • • • • • Certificate Generation Trust Store and Key Store Management Certificate Signing Request Certificate Signing Tool Importing/Export keys and certificates Allowed Host Management Improved SSL Support for Web, Fox and Niagarad • Improved SSL Api Support Key Store Table Trust Store Table Allowed Hosts Table Certificate Generation Certificate Request Generation Certificate Signing Tool Approved Cipher List • • • • • • • • • • • • TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV Certificate Verification Session Information SSLSocket Sample Code ICryptoManager mgr = CertManagerFactory.getInstance(); SSLSocketFactory factory = (SSLSocketFactory) mgr.getClientSocketFactory(BSslTlsEnum.sslv3andtlsv1); SSLSocket socket = (SSLSocket) factory.createSocket(addr, port); socket.close(); HttpsConnection Sample Code ICryptoManager mgr = CertManagerFactory.getInstance(); IClientSocketFactory factory = mgr.getClientSocketFactory(BSslTlsEnum.sslv3andtlsv1); HttpsConnection connection = new HttpsConnection(new BIpHost("www.amazon.com"), 443, "/", factory); connection.connect(); connection.close(); Server Configuration • • • • • State: enabled, disabled or ssl only if ssl only, will redirect from non-ssl port Port: default for niagarad ssl is 5011 Certificate: server certificate selected from the key store Protocol: SSLv3, TLSv1, or both Server Configuration • https enabled: true or false • https only: true or false, will redirect from http if http is enabled • Port: default for the web service is 443 • Certificate: server certificate selected from the key store • Protocol: SSLv3, TLSv1, or both Server Configuration • foxs enabled: true or false • foxs only: true or false, will redirect from http if http is enabled • Port: default for the foxs service is 4911 • Certificate: server certificate selected from the key store • Protocol: SSLv3, TLSv1, or both SSLServerSocket Sample Code ICryptoManager mgr = CertManagerFactory.getInstance(); SSLServerSocketFactory factory = (SSLServerSocketFactory) mgr.getServerSocketFactory(BSslTlsEnum.sslv3andtlsv1, false, "tridium"); SSLServerSocket serverSocket = (SSLServerSocket) factory.createServerSocket(); SSLSocket socket = (SSLSocket) serverSocket.accept(); socket.close(); Small Network Example CA Certificate Installed on Client Machines in Their Trust Store CA Private Key Used to Sign Server Certificates Large Network Example Root CA Certificate Installed on Client Machines in Their Trust Store Intermediate CA Private Key Used to Sign Server Certificates Root CA Private Key Used to Intermediate CA Certificates Intermediate CA Certificate Questions?