the new JACE 5R-AX

advertisement
NIAGARA 3.7 AND NEW
SECURITY FEATURES
Bill Smith
August, 2012
© Tridium 2012
3.5 and 3.6 Security Patch Highlights
• Blacklisting of critical files
• Default Category Configuration
for new stations
• No blank passwords
• Strong passwords enabled by
default
• Program objects now require
super user privileges to install
SSL with 3.6 and Earlier
• The following data regarding SSL
for 3.6 and earlier is available on
Niagara Central by perform a
search for “Installing a Signed
Cert”
Installing the TKS Provider
•
•
•
•
Download the Tks Provider jar: TridiumProvider.jar
Install the jar into the lib/ext directory of your chosen
JRE. DO NOT INSTALL INTO THE NIAGARA JRE!
If you have previously installed
StandaloneTksProvider.jar, delete it from the lib/ext
directory!!
Add the following line to the list in lib/security/java.security
file in your JRE.
security.provider.11=com.tridium.crypto.TksProvider
•
Make sure the number after "security.provider." is sequential
Generate Key Pair for Certificate Request
•
•
•
•
Open a command prompt and make sure that jre/bin is in your PATH.
Go to the security directory for your Niagara installation.
Rename the existing ssl.tks file to ssl.tks.orig as a backup.
Run keytool with the following command:
keytool -genkey -alias tridium -keystore ssl.tks -storepass
tridium -storetype TKS -keyalg RSA -keysize 2048
•
•
•
•
•
•
It may be necessary to adjust the -keyalg and -keysize arguments for the
Certificate Authority you intend to use.
The alias
IMPORTANT: When prompted for your first and last name, enter the base
domain name for the dns entry for your server: ex. tridium.com
Answer the remaining questions as accurately as possible.
When prompted to enter a password for the key pair, just hit enter to use
the keystore password.
Make a copy of the new ssl.tks to ssl.tks.new as a backup.
Generate the Certificate Request
•
Now that a key pair has been generated, create the cert request with the
following command:
keytool -genkey -alias tridium -keystore ssl.tks -storepass
tridium -storetype TKS -keyalg RSA -keysize 2048
•
A new file called certreq.cer has been created. This file should be submitted
to your Certificate Authority along with any other information that they
require.
Install Signed Certificate
•
When the CA has completed the signing process, you will receive an email
or file that contains something like :
-----BEGIN CERTIFICATE----MIIFUTCCBDmgAwIBAgIQdYL06pVxhgnBQNHptRI6NzANBgkqhkiG9w0BAQUFADCB
yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
cnZlciBDQSAtIEcyMB4XDTExMDUxMzAwMDAwMFoXDTExMDYxMjIzNTk1OVowgakx
CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTERMA8GA1UEBxQIUmljaG1v
bmQxEjAQBgNVBAoUCUhvbmV5d2VsbDEQMA4GA1UECxQHVHJpZGl1bTE6MDgGA1UE
CxQxVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYSAo
YykwNTESMBAGA1UEAxQJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDcGyBUtgqRiNNQ4bdeDSGZ3oH4AiclGw5TYW5aPEkHZqvXmHwdLHSKqMme
X2FnqPbw2XCwwwcFMCKD9LT6glAIvGpnDSsoDEdWAG5W7YujM1Bp53uuziUpBWV6
g8ko81K6IoRQ/PnljGUWkOXqCJuP2SxPsUxiS2Hn966m6nruswIDAQABo4IB0zCC
Ac8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwQwYDVR0fBDwwOjA4oDagNIYyaHR0
cDovL1NWUlRyaWFsLUcyLWNybC52ZXJpc2lnbi5jb20vU1ZSVHJpYWxHMi5jcmww
SgYDVR0gBEMwQTA/BgpghkgBhvhFAQcVMDEwLwYIKwYBBQUHAgEWI2h0dHBzOi8v
d3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAfBgNVHSMEGDAWgBQoFxOKvdaitdwGLLe2jtoQZmBu5TB0Bggr
BgEFBQcBAQRoMGYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNv
bTA+BggrBgEFBQcwAoYyaHR0cDovL1NWUlRyaWFsLUcyLWFpYS52ZXJpc2lnbi5j
b20vU1ZSVHJpYWxHMi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1h
Z2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0
cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUA
A4IBAQCLmDayf1WCyO3bRBfy5EqF314Swj0RbX6sEWq+413R72KpUwMucK5ugo56
o7QlMl5vSMZdm70vjt6jiSnBPWUUYxggwP1ri565DuuRNYcjhdA/Lz7Aj+x2FLOx
k9nwKt9oehPproEuMIJM/4NbijKOWNDndLOquuokITeL5Rp2s8p7lF0mfBYB4FTY
cO+q0sbXZxN4swHSvf4RcfbC4xMHsenA86m5E6NuLlJshz3h5Yr4oASR2btm7htK
myEslcmph/HcpdBAaTguhGvvqkCytc4Bry5IGedPgYgZStIudA1PdkeUtC5/mvy0
ctI785MRsEhTCsmryqIVrYrscYb8
-----END CERTIFICATE-----
Install Signed Certificate (continued)
•
•
•
•
•
•
Save that section to a file, ex. signedcert.cer and put it in the same
directory as your ssl.tks.
If intermediate certs have also been provided, save them to files as well.
Documentation with your signed cert should provide you with a reference to
the root certificate used to sign the chain. Download this root cert and save
it to a file.
With a text editor, create a new file and copy and paste the contents of
each cert file into the new one with the signed cert first, then the
intermediate cert(s), and last the root (CA) cert .
Save this to a file called something like certchain.cer.
Run the following command: (This MUST be done on the same keystore
that was used to generate the initial CSR.)
keytool -importcert -trustcacerts -file certchain.cer keystore ssl.tks -storepass tridium -storetype TKS -alias
tridium
•
You may be promped with something like "... is not trusted. Install reply
anyway?". Answer "yes".
Check the Keystore
•
Dump the contents of the keystore with the following command:
keytool -list -alias tridium -keystore ssl.tks -storepass
tridium -storetype TKS -v
•
The first few lines should contain something like:
Alias name: tridium
Creation date: Jul 31, 2012
Entry type: PrivateKeyEntry
•
•
Verify that this is PrivateKeyEntry.
The next thing to look at is the first cert. Look for the following lines:
Certificate[1]:
Owner: CN=foo.com, OU=engineering, O=tridium, L=richmond,
ST=virginia, C=us
Issuer: C=us, ST=virginia, L=richmond, O=tridium,
OU=engineering, CN=intermediateca
•
•
Verify that the owner is the end certificate that you had signed.
Look through each subsequent certificate to make sure the owner is the
same as the issuer on the previous certificate.
Some Notes
•
The signed cert that you installed will only validate correctly for the
domain that it was created.
•
Your Certificate Authority may have other requirements and
instructions and should be able to assist you with any trouble.
•
The certificate chain must be installed into the keystore that
contains the matching private key entry.
3.7 SSL Features
•
•
•
•
•
•
•
Certificate Generation
Trust Store and Key Store Management
Certificate Signing Request
Certificate Signing Tool
Importing/Export keys and certificates
Allowed Host Management
Improved SSL Support for Web, Fox
and Niagarad
• Improved SSL Api Support
Key Store Table
Trust Store Table
Allowed Hosts Table
Certificate Generation
Certificate Request Generation
Certificate Signing Tool
Approved Cipher List
•
•
•
•
•
•
•
•
•
•
•
•
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Certificate Verification
Session Information
SSLSocket Sample Code
ICryptoManager mgr = CertManagerFactory.getInstance();
SSLSocketFactory factory = (SSLSocketFactory)
mgr.getClientSocketFactory(BSslTlsEnum.sslv3andtlsv1);
SSLSocket socket = (SSLSocket) factory.createSocket(addr, port);
socket.close();
HttpsConnection Sample Code
ICryptoManager mgr = CertManagerFactory.getInstance();
IClientSocketFactory factory =
mgr.getClientSocketFactory(BSslTlsEnum.sslv3andtlsv1);
HttpsConnection connection = new HttpsConnection(new
BIpHost("www.amazon.com"), 443, "/", factory);
connection.connect();
connection.close();
Server Configuration
•
•
•
•
•
State: enabled, disabled or ssl only
if ssl only, will redirect from non-ssl port
Port: default for niagarad ssl is 5011
Certificate: server certificate selected from the key store
Protocol: SSLv3, TLSv1, or both
Server Configuration
• https enabled: true or false
• https only: true or false, will redirect from http if http is
enabled
• Port: default for the web service is 443
• Certificate: server certificate selected from the key store
• Protocol: SSLv3, TLSv1, or both
Server Configuration
• foxs enabled: true or false
• foxs only: true or false, will redirect from http if http is
enabled
• Port: default for the foxs service is 4911
• Certificate: server certificate selected from the key store
• Protocol: SSLv3, TLSv1, or both
SSLServerSocket Sample Code
ICryptoManager mgr = CertManagerFactory.getInstance();
SSLServerSocketFactory factory = (SSLServerSocketFactory)
mgr.getServerSocketFactory(BSslTlsEnum.sslv3andtlsv1, false,
"tridium");
SSLServerSocket serverSocket = (SSLServerSocket)
factory.createServerSocket();
SSLSocket socket = (SSLSocket) serverSocket.accept();
socket.close();
Small Network Example
CA Certificate Installed
on Client Machines
in Their Trust Store
CA Private Key Used to
Sign Server Certificates
Large Network Example
Root CA Certificate
Installed on Client
Machines in Their Trust
Store
Intermediate CA Private Key
Used to Sign Server
Certificates
Root CA Private Key Used
to Intermediate CA
Certificates
Intermediate CA
Certificate
Questions?
Download