The Web Application Platform, as deployed by our installer, runs on a bundled Apache Tomcat. As such, best practices for hardening Apache Tomcat should be followed. Although we have already constrained ciphers and protocols at the JVM level, it is best practice to do so at the Tomcat configuration level. We also need to address issues such as secure cookies, disable XSS on foreign sites, and also remove default directories published as part of the default installation. The official Tomcat documentation covers a large portion of this (recommended reading) - https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html. Additionally, there are a plethora of documents online covering all aspects of securing Tomcat to OWASP standards. server.xmlThere are various changes that can be made to <install_root>/WebAppPlatform/conf/server.xml in order to harden the system. The first step (do not do this if running on Windows) is to disable the shutdown port. For this, you need to change: | Code Block |
|---|
<Server port="8005" shutdown="SHUTDOWN"> |
to | Code Block |
|---|
<Server port="-1" shutdown="SHUTDOWN"> |
The next step is to disable the AJP connector unless you specifically intend to use it. For this, you need to change: | Code Block |
|---|
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> |
to | Code Block |
|---|
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
--> |
The next step is to disable the redirection on port 8080. For this, you need to change: | Code Block |
|---|
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" /> |
to | Code Block |
|---|
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
Server=" "
redirectPort="8443" />
--> |
Finally, we want to prevent our instance from advertising what server is being used in the event that an error is encountered. For this, you need to go to the very bottom of the file and add the following, right above the closing </Host> tag. | Code Block |
|---|
<!-- Suppress server name on internal error pages -->
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
</Host> |
web.xmlHaving completed the configuration of server.xml, we will now proceed to configure <install_root>/WebAppPlatform/conf/web.xml. We need to ensure that cookies are constrained to HTTPS. | Code Block |
|---|
<!-- ==================== Default Session Configuration ================= -->
<!-- You can set the default session timeout (in minutes) for all newly -->
<!-- created sessions by modifying the value below. -->
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config> |
| Note |
|---|
You only need to insert the following lines: <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> |
Tomcat InstallationHaving made the necessary changes to the configuration files, we will now proceed to remove all of the default applications in the tomcat distribution, which could expose our installation to external vulnerabilities. If we look at a directory of <install_root>/WebAppPlatform/webapps, we will see the following: | Code Block |
|---|
drwxrwxr-x. 14 twcloud twcloud 4096 Apr 15 14:39 docs
drwxrwxr-x. 6 twcloud twcloud 83 Apr 15 14:39 examples
drwxrwxr-x. 5 twcloud twcloud 87 Apr 15 14:39 host-manager
drwxrwxr-x. 5 twcloud twcloud 103 Apr 15 14:39 manager
drwxrwxr-x. 3 twcloud twcloud 283 Apr 15 14:39 ROOT
drwxr-x---. 8 twcloud twcloud 117 Apr 15 14:47 webapp
-rwxrwxr-x. 1 twcloud twcloud 67742880 Oct 31 17:56 webapp.war |
As you can see, in addition to webapp.war and the webapp directory, there are additional directories, containing applications, which could potentially be exploited. You want to remove docs, examples, host-manager, manager, and ROOT. | Warning |
|---|
When you remove the ROOT application directory, accessing https://ip_address:8443 will no longer display the Apache Tomcat default landing page. |
Upgrading TomcatOur installers deploy with a given version of Apache Tomcat. As vulnerabilities are exposed in Tomcat, you may be required by your organization to upgrade to a specific version. The "code" of tomcat is the compilation of the jar files residing in <instal_root>/WebAppPlatform/bin and <instal_root>/WebAppPlatform/lib. In order to "slip-stream" an upgrade without having to fully replace the Tomcat installation, you can replace the existing *.jar files in these directories with the ones from the new one. Before doing this, you will want to make copies of these directories so you can easily revert back in case of an incompatibility with the new version. Under Linux, assuming that you have access to the internet from the server, you can use the script below to automatically upgrade your instance to the target version. | Code Block |
|---|
| title | upgrade_tomcat_webapp.sh |
|---|
| #!/bin/bash
##########################################################
# Upgrade Tomcat Version used by WebApp Platform
# CATIA No Magic DevOps Team
# ################################
# This script utilizes rsync, so we will install it via yum
# If you are offline you need to put required installer file in the same location with this script
# Edit default version if you can't input it during upgrade
DEFAULT_VERSION=9.0.63
###########################################
#
# DO NOT MODIFY ANYTHING BEYOND THIS POINT
#
###########################################
echo ""
echo "----------------------------------------------------------------------------"
echo "This script utilizes rsync, so we will install it via yum."
echo "Please ensure rsync is on the system if thes are no posibility to use yum package manager"
echo ""
echo "----------------------------------------------------------------------------"
read -e -p "Please enter the tomcat version you would like to use. [default is: $DEFAULT_VERSION] : " TOMCAT_VERSION
echo "----------------------------------------------------------------------------"
echo ""
TOMCAT_VERSION="${TOMCAT_VERSION:-$DEFAULT_VERSION}"
echo "Tomcat will be upgraded to: "$TOMCAT_VERSION "version."
WEBAPP_ROOT=$(cat /etc/systemd/system/webapp.service | grep CATALINA_HOME_WEBAPP | cut -f 3 -d '=')
WEBAPP_OWNER=$(stat -c "%U:%G" $WEBAPP_ROOT)
#####################################
# Install rsync
yum install rsync -y -q
####################################
# Setting up script variables
MAJOR_VERSION=$(echo $TOMCAT_VERSION | cut -d . -f 1)
TOMCAT_DOWNLOAD=https://archive.apache.org/dist/tomcat/tomcat-$MAJOR_VERSION/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz
TOMCAT_TAR=$(basename $TOMCAT_DOWNLOAD)
TOMCAT_DIR=$(basename $TOMCAT_TAR .tar.gz)
#####################################
# Begin deployment
wget $TOMCAT_DOWNLOAD
[ ! -e "${TOMCAT_TAR}" ] && echo "File does not exist ! Check the file name or internet connection and try again." && exit|| echo "File $TOMCAT_TAR exists"
tar -xf $TOMCAT_TAR
rsync -av $TOMCAT_DIR/bin/*.jar $WEBAPP_ROOT/bin/
rsync -av $TOMCAT_DIR/lib/*.jar $WEBAPP_ROOT/lib/
####################################
# Ensure proper ownership of files
chown -R $WEBAPP_OWNER $WEBAPP_ROOT/bin $WEBAPP_ROOT/lib
####################################
# Remove foder with extracted files
rm -fr $TOMCAT_DIR
echo ""
echo "Upgrade completed successfully." |
| Warning |
|---|
The script provided above may stop working if the Apache Tomcat distribution changes the methodology used in storing the tarfiles. |
Upgrading Webapp bundled JDKWebapp can run with Java 17.0.1. If you wish to use it instead of the bundled version, it is located in <install_root>/WebAppPlatform/jre. | Code Block |
|---|
| title | upgrade_jdk_webapp.sh |
|---|
| #!/bin/bash
##################################################################
# Upgrade JDK in CATIA NoMagic Webapp Platform to a newer OpenJDK
# CATIA No Magic DevOps Team
##################################################################
### JRE_DOWNLOAD contains the download URL to the target OpenJDK tar archive
### The example below upgrades the JDK to OpenJDK 17.0.5+8
# Edit default version if you can't input it during upgrade
DEFAULT_VERSION=17.0.5+8
###########################################
#
# DO NOT MODIFY ANYTHING BELOW THIS POINT
#
###########################################
echo ""
echo "-------------------------------------------------------------------------------------------------------------------------------------"
read -e -p "Please enter OpenJDK version of JRE you would like to use in the same style as it is in example [default is: $DEFAULT_VERSION] : " JRE_VERSION
echo "--------------------------------------------------------------------------------------------------------------------------------------"
echo ""
JRE_VERSION="${JRE_VERSION:-$DEFAULT_VERSION}"
echo "OpenJDK will be upgraded to: "$JRE_VERSION "version."
MAJOR_VERSION=$(echo $JRE_VERSION | cut -d . -f 1)
DOWNLOAD_VERSION=${JRE_VERSION/+/_}
echo $DOWNLOAD_VERSION
### JRE_DOWNLOAD contains the download URL to the target OpenJDK tar archive
JRE_DOWNLOAD=https://github.com/adoptium/temurin$MAJOR_VERSION-binaries/releases/download/jdk-$JRE_VERSION/OpenJDK17U-jre_x64_linux_hotspot_$DOWNLOAD_VERSION.tar.gz
#####################################
# Install wget
yum install wget -y -q
JRE_HOME=$(cat /etc/systemd/system/webapp.service | grep JRE_HOME | cut -f 3 -d '=')
JRE_OWNER=$(stat -c "%U:%G" $JRE_HOME)
JRE_TAR=$(basename $JRE_DOWNLOAD)
mkdir _tmp
cd _tmp
## Download OpenJDK
wget $JRE_DOWNLOAD
## Remove current JRE_HOME
rm -fr $JRE_HOME
## Extract OpenJDK
mkdir -p $JRE_HOME
tar -xf $JRE_TAR -C $JRE_HOME --strip-components=1
chown -R $JRE_OWNER $JRE_HOME
####################################
# Remove foder with extracted files
cd ..
rm -fr _tmp
echo "Upgrade completed successfully." |
| 