Guide - IOM Checklist Security and Data Protection

1 Introduction

This guide should give you an overview of what can be done to tighten an installation of Intershop Order Management in regards to security and data protection.

2 Wildfly Application Server

Each HA node of an IOM installation consists of two Wildfly Application Servers running two different types of applications: IOM frontend and backend server, see Guide -  Intershop Order Management - Technical Overview. The default configuration of Wildfly application server uses the following configuration:

  • Port 8080 is used by HTTP service
  • Port 9990 is used Administration service

The services are bound to the network interface, which is defined in property JBOSS_BIND_ADDRESS in file $OMS_ETC/installation.properties, see Guide - Setup Intershop Order Management 2.2. The property is valid for all services. In order to work properly, it is necessary, that the frontend server is reachable from the load balancer and that the backend server can be reached from all frontend servers belonging to the same IOM installation.

2.1 Port Offset

The property JBOSS_PORT_OFFSET in file $OMS_ETC/installation.properties is used to change the default port configuration, see Guide - Setup Intershop Order Management 2.2. The value read from JBOSS_PORT_OFFSET will be added to all ports. Since frontend and backend server are running on the same machine, JBOSS_PORT_OFFSET has to be used to avoid port collisions if both servers use the same network interface.

2.2 HTTP Service

HTTP service is needed on both server types, frontend and backend. At frontend server, the HTTP service is responsible to handle requests to OMT and to REST/SOAP. On backend server the JMS-communication is handled by the HTTP service.

HTTP service is provided on network interface defined in JBOSS_BIND_ADDRESS at port 8080 + JBOSS_PORT_OFFSET.

2.3 Administration Service: Admin Console

The Wildfy application server provides an admin console. The admin console is a command line interface for Wildfly administration, which can be used interactively or by automated scripts. Each wildfly instance hosts its own admin console, allowing to administer the belonging Wildfly application server only. Access to the admin console is restricted by Wildfly's own user- and role-management system, which can be controlled by Wildfly's add-user utility, see add-user utility.

Wildfly's admin console is extensively used by IOM's operational processes (e.g., deployment, applying properties, reconfiguration of JMS settings, etc.). In order to be able to execute these operational processes, username and password of a management user are required. The processes are reading the according information from properties JBOSS_ADMIN_USER and JBOSS_ADMIN_PASSWD, located in file $OMS_ETC/installation.properties. For more details refer to Guide - Setup Intershop Order Management 2.2.

The Admin Console can be reached at network interface defined in JBOSS_BIND_ADDRESS at port 9990 + JBOSS_PORT_OFFSET. Credentials, required to access admin console, are stored with JBOSS_ADMIN_USER and JBOSS_ADMIN_PASSWD.

2.4 Administration Service: Web Management Interface

The Wildfly application server used by IOM application provides a Web Management Interface, which allows to execute administration tasks interactively, see Management Clients. Each Wildfly instance hosts its own Web Management Interface, allowing to administer the belonging Wildfly Application Server only. Access to the Web Management Interface is restricted by Wildfly's own user- and role-management, which can be controlled by Wildfly's add-user utility, see add-user utility. The same user and password as for admin console can be used to access Web Management Interface.

Web Management Interface is not used by IOM's default processes.

The Web Management Interface can be reached at network interface defined in JBOSS_BIND_ADDRESS at port 9990 + JBOSS_PORT_OFFSET. Credentials, required to access Web Management Interface, are stored with JBOSS_ADMIN_USER and JBOSS_ADMIN_PASSWD.

3 OMT

The OMT is a web application, which is part of IOM. The OMT is running on frontend application servers only. Access to the OMT is restricted by user- and role-management defined inside the IOM. Termination of HTTPS protocol on Wildfly application server is not supported.

Note

Intershop strongly recommends to encrypt external communication via HTTPS. To do so, HTTPS has to be terminated at the load balancer (see below).

REST/SOAP interfaces are using HTTP service, hence they are reachable at network interface defined in JBOSS_BIND_ADDRESS at port 8080 + JBOSS_PORT_OFFSET.

4 REST/SOAP Interfaces

REST and SOAP interfaces are provided by an application, which is part of IOM and is running on frontend application servers only. Access to REST/SOAP interfaces is restricted by user- and role-management defined inside IOM. REST/SOAP interfaces support basic HTTP authentication only, see Basic access authentication. Termination of HTTPS protocol on Wildfly application server is not supported.

Note

Intershop strongly recommends to encrypt external communication via HTTPS. To do so, HTTPS has to be terminated at the load balancer (see below).

REST/SOAP interfaces are using HTTP service, hence they are reachable at network interface defined in JBOSS_BIND_ADDRESS at port 8080 + JBOSS_PORT_OFFSET.

Note

The following section applies for version 2.9 only.

Some REST interfaces can also be accessed via Bearer authentication / Token authentication. For that authentication mechanism, a JSON Web Tokens (JWT) is used as bearer security token. The creation / validation of this token happens with the help of a shared secret, that could be configured in the cluster properties, see Guide - Setup Intershop Order Management 2.9.

Note

Intershop strongly recommends to change the default shared secret used for the JSON Web Tokens creation / validation in the cluster properties, see Guide - Setup Intershop Order Management 2.9.

To secure the JWT https://tools.ietf.org/html/rfc7518#section-3.2 says that a key of the same size as the hash output or larger must be used with the JWS HMAC SHA-2 algorithms (i.e, 256 bits for "HS256").

5 FTP Server

At each HA node runs a FTP server required to exchange data between IOM's frontend and backend server, see Guide - Intershop Order Management - Technical Overview This FTP server is not intended to be accessed from outside, hence it is bound to the IP address 127.0.0.1 only. The IOM application servers are using two users to access this FTP server. The names of these users are set in properties is.oms.media.user and is.oms.pdf.user in $OMS_ETC/cluster.properties. The according passwords are set in properties is.oms.media.pass and is.oms.pdf.pass within the same file, see Guide - Setup Intershop Order Management 2.2

FTP server writes log data to /var/log/pureftpd.log. This file is not rotated automatically.

6 Load Balancer

The load balancer to be installed in front of IOM HA nodes is based on Apache HTTPd server, see Guide - Intershop Order Management - Technical Overview. Apache load balancer uses different mod_proxy* modules to realize load balancing and fail-over functionality.

Apache load balancer provides two special URLs, to be accessed by administrators only: /server-status and /balancer-manager. Access to these URLs is restricted and requires username admin and a matching password. All other URLs are forwarded to IOM frontend servers.

Apache load balancer writes log files to logs directory (relative to server root). These log files are rotated hourly. Automatic cleanup of old logs is not provided.

7 Prevent Security Misconfiguration

7.1 Application Updates

Regular product updates, hotfixes and patches are released for Intershop products fixing also potential security issues.
The support department informs about important security updates via newsletter security bulletin. Updates and patches are announced at the support web page (https://support.intershop.com/)

Ansible4IOM

Just use process Update OMS node provided by Ansible4IOM to update an IOM installation, see Reference - Ansible4IOM Processes 1.1.

7.2 Verify Default Settings

7.2.1 Password of Database User

It is strongly recommended to change the default password set for the IOM database account. After changing the password (please consult your database admin for this task), you have to change the property is.oms.db.pass in $OMS_ETC/cluster.properties and you have to apply these changes, see Guide - Setup Intershop Order Management 2.2

Ansible4IOM

Set the database password at variables OMSDB_PASSWD and is_oms_db_pass (see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM processes Setup or reconfigure database account and Setup OMS node to use your own password prior initial setup. You can use the same variables along with processes Setup or reconfigure database account and Reconfigure OMS node to change database password afterwards, see Reference - Ansible4IOM Processes 1.1

7.2.2 Password of Wildfly Administration User

It is strongly recommended to change default password set for Wildfly administration user. After changing the password (see add-user utility) , you have to change property JBOSS_ADMIN_PASSWD in file $OMS_ETC/installation.properties, see Guide - Setup Intershop Order Management 2.2

Ansible4IOM

Set the password of Wildfly administration user at variable JBOSS_ADMIN_PASSWD[ server-type ], see Reference - Ansible4IOM Variables 1.1, before running Ansible4IOM process Setup OMS node to use your own password prior initial setup. You can use the same variable along with process Reconfigure OMS node to change password afterwards, see Reference - Ansible4IOM Processes 1.1.

7.2.3 Password of IOM Administrator

In order to administer the IOM, a default admin user for the OMT exists, having a default password. You have to change the password of this user (admin) by using the Change Password function within User Profile area.

7.2.4 Passwords of FTP-Users

The passwords of FTP users should be changed, see Virtual Users. After changing the passwords, the according properties is.oms.media.pass and is.oms.pdf.pass have to be updated and the according changes have to be applied, see Guide - Setup Intershop Order Management 2.2.

Ansible4IOM

Set the passwords of FTP users at variables is_oms_media_pass and is_oms_pdf_pass (see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM process Setup OMS node to use your own password prior initial setup. You can use the same variables along with process Reconfigure OMS node to change passwords afterwards, see Reference - Ansible4IOM Processes 1.1.

7.2.5 Access to Server Status and Balancer Manager

The password of user admin, who is the only one with access to URLs /server-status and /balancer-manager at the load balancer, has to be changed. Use Apaches htpasswd tool to update the password of the admin user stored in file conf/htpasswd (relative to server root).

Ansible4IOM

Set the password of admin user at variable APACHE_MGMNT_PASSWD (see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM process Setup Load Balancer to use your own password prior initial setup (see Reference - Ansible4IOM Processes 1.1). You can use the same variable along with process Reconfigure Load Balancer to change password afterwards.

7.2.6 Termination of HTTPS at Load Balancer

All incoming and outgoing communication should be encrypted. As mentioned above, configuration of Wildfly application server used for IOM is not prepared to encrypt (internal) communication. Instead of it, the load balancer has to be used to terminate HTTPS protocol. This way, all external communication to OMT and REST/SOAP interfaces can be encrypted.

Just follow the SSL/TLS strong encryption How-To provided for Apache httpd-server to enable HTTPS protocol.

Ansible4IOM

You have to implement the hook post_apache_configuration_hook to prepare Apache configuration for HTTPS access, see Reference - Ansible4IOM Hooks 1.1. The principles are explained in an example that can be found in the description of the Ansible4IOM process Setup Load Balancer, see Reference - Ansible4IOM Processes 1.1.

7.2.7 Restrict Access to OMT and REST/SOAP Interfaces

OMT and REST/SOAP-interfaces should not be publicly available. You should restrict access to OMT and REST/SOAP-interfaces on network level. To do so, add the necessary require rules to <Location>-sections defined in conf/oms/balancer.conf, see Apache Module mod_authz_host.

Ansible4IOM

Define the network access rules according to Apaches mod_authz_host (see Apache Module mod_authz_host) in variables APACHE_REQUIRE_IOM and APACHE_REQUIRE_MGMNT (see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM process Setup Load Balancer to use your own network access rules. You can use the same variables along with the process Reconfigure Load Balancer to change settings afterwards, see Reference - Ansible4IOM Processes 1.1.

8 Avoid Sensitive Data Exposure

8.1 Sensitive File Content

Certain files in the IOM installation contain sensitive information like database passwords. Sensitive information in files cannot be completely avoided. For IOM sensitive data is stored in:

  • $OMS_ETC/installation.properties
    • JBOSS_ADMIN_USER - user name, allowed to administer Wildfly
    • JBOSS_ADMIN_PASSWD - password of Wildfly admin user
  • $OMS_ETC/cluster.properties
    • is.oms.db.user - IOM's db-user
    • is.oms.db.pass - password of IOM's db-user
    • is.oms.pdf.user - pdf-user on FTP server
    • is.oms.pdf.pass - password of pdf-user on FTP server
    • is.oms.media.user - media-user on FTP server
    • is.oms.media.pass - password of media-user on FTP server

The directory $OMS_VAR/pdfhost contains PDF documents with sensitive content, e.g., invoices with address data, etc. Files in this directory are accessible by PDF FTP user and by operating system user running IOM application server. In IOM installations consisting of more then one IOM HA node, this directory is shared between different nodes, see Guide - Intershop Order Management - Technical Overview. The technology of sharing depends on the runtime environment, e.g., if IOM is running on Azure, the Azure file service is used to share the files between different nodes. It is important to keep these files secure on all levels explained before, at FTP server level, at operating system level and at sharing service level.

8.2 Log File Handling

Define a clear strategy for log files, backups and archives. Those processes needs to be documented and most importantly be executed by the book. From a GDPR point of view deletion of those files (after retention period) is the most important thing besides security measures to keep them secure.

8.3 Admin Console and Web Management Interface

All properties stored in file $OMS_ETC/cluster.properties can be seen by everyone having access to admin console or Web management interface.

8.4 Sensitive Database Content

Except for the OMT user passwords that are hashed with a one way encryption, a database access allows to read all stored information, including sensitive business data. You should hence take great care in limiting the client access permissions to the strict minimum and to protect the database files. These are DBA tasks which are described within the official Postgresql documentation.

These major points are to be considered:

  • Restrict the database access in Postgres configuration file pg_hba.conf.
    Minimum required:
  • The OMS database user must have grant access from the application server nodes.
  • Possible replication users must be listed.
  • File system:
    • The whole "Postgresql  data" folder should not be accessible by others than the Postgresql os user. Beware that the Postgresql logs may also reveal some sensitive data.
    • The backup repositories should also have restricted access policies

9 Circumvent Components with Known Vulnerabilities

Intershop updates components and libraries with every major and some minor releases to close potential security leaks with the updated components and libraries.
The Intershop Support department informs about important security updates via newsletter security bulletin that is regularly sent to the named resources on the Intershop support contract.

10 Firewall Configuration

It is recommended to run your IOM behind a firewall and/or reverse proxy. The only open port should be port 443 of your load balancer. Port 80 should not be necessary anymore.

Note

Other exceptions might be necessary due to project specific connectivity to 3rd party systems.

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Support Tickets