On this page
Used files
Protocols and Ciphers
Magic Collaboration Studio consists of 2 Java-based services - Magic Collaboration Studio (twcloud) and WebApp (webapp).
Magic Collaboration Studio requires Java 11 (its location varies depending on how it was deployed), whereas WebApp uses a bundled Java 17, located in <install_root>/WebAppPlatform/jre/.
Therefore, in order to harden these services, we must begin by hardening the JVM. The default settings for the JVM are located in java.security.
The process of hardening the JVM requires making some changes to the java.security file. While these can be made directly, the downside is that if you upgrade your JVM, you will have to reapply your changes.
However, we can place our modifications in our own file, and simply pass a parameter to the JVM upon invocation so that it will apply our changes.
For example, we can create a file /home/twcloud/twc.java.security, and pass a parameter to the JVM in the form of -Djava.security.properties=/home/twcloud/twc.java.security.
Our hardened security settings are as shown below:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 2048, \ EC keySize < 224, 3DES_EDE_CBC, anon, RSA keySize < 2048, SHA1, DHE, NULL jdk.tls.ephemeralDHKeySize=2048 jdk.tls.rejectClientInitiatedRenegotiation=true
To apply these settings we need to make changes in 3 locations.
For the Magic Collaboration Studio service, under Linux, you need to edit <install_root>/jvm.options and add a line as shown below:
. . -Dorg.jboss.netty.epollBugWorkaround=true -Dio.netty.epollBugWorkaround=true -Djava.security.properties=/home/twcloud/twc.java.security
On Windows, you need to edit the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\TeamworkCloud\Parameters\Java\Options and append the setting pointing to your security overrides to the bottom of the settings.
For the Webapp service, under Linux you need to edit <install_root>/WebAppPlatform/bin/setenv.sh and add the directive to the JVM_OPTS variable as shown below:
JVM_OPTS="-server -XX:+UseParallelGC -Xms4096M -Xmx8192M -Djava.security.properties=/home/twcloud/twc.java.security"
On Windows, you need to edit the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\WebApp\Parameters\Java\Options and append the setting pointing to your security overrides to the bottom of the settings.
JMX
By default, the Magic Collaboration Studio service activates a JMX remote port to facilitate application monitoring. The default configuration does not contain any form of authentication.
On Linux, the configuration is located in <install_root>/jvm.options.
On Windows, it is located in registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\TeamworkCloud\Parameters\Java\Options.
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=2468 -Dcom.sun.management.jmxremote.rmi.port=2468 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
These settings can be removed, thereby removing JMX remote access.
If you would like to allow remote JMX access but require authentication, you can do so by adding settings. For complete documentation, please refer to the Java documentation.
As an example, the below configuration adds password authentication:
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=2468 -Dcom.sun.management.jmxremote.rmi.port=2468 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/twcloud/jmx.password -Dcom.sun.management.jmxremote.access.file=/home/twcloud/jmx.access -Dcom.sun.management.jmxremote.ssl=false
As can be seen, we are pointing to a set of files (/home/twcloud/jmx.password and /home/twcloud/jmx.access) that control who can access these files.
The vulnerability vector is one whereby JMX could be exploited to execute code. To prevent this, we allow only an authenticated user (jmx.password) who has read-only rights (jmx.access).
monitoring DqzbksT4ET
monitoring readonly
In this example, we created a user (monitoring) with a password (DqzbksT4ET), who can only read values via Remote JMX, but cannot write or execute anything via JMX.
The password and access files have a very stringent ownership requirement. They need to be owned by the user running the process and be accessible exclusively to that user.
For example, in our default installation, the Magic Collaboration Studio user is running the Magic Collaboration Studio service. Therefore, the files need to be owned by Magic Collaboration Studio and have full rights (rwx) by Magic Collaboration Studio, and only Magic Collaboration Studio.
# ll jmx.*
-rwx------. 1 twcloud twcloud 20 Mar 16 15:11 jmx.access
-rwx------. 1 twcloud twcloud 26 Apr 21 10:41 jmx.password