View comments | RSS feed

Securing distributed JRun systems

There are many considerations when implementing security in a distributed environment. This section describes some JRun-specific actions that you can take:

Shut down the admin JWS The default installation of JRun sets up a web server for each JRun server, including the admin JRun server. For more information, see "Turning off the JWS".
Set up host-based authentication JRun provides a basic mechanism to protect the communication between the JRun server and external web servers from being hijacked. For information on setting this up, see "Host-based authentication for connectors".
Secure sockets layer (SSL) JRun allows you to use SSL for communications between the connector and the JRun server. For information on setting this up, see "Using SSL with the web server connector".

Turning off the JWS

By default, you configure all JRun servers to enable an associated JRun web server (JWS). Each JWS listens for HTTP requests on a specified port. For example, the default JRun server uses port 8100 for the JWS. Although most system administrators restrict incoming port access with firewalls, it is wise to shut off services you are not using. This section describes how to turn off the JWS for a JRun server that is accessed only through a web server connector.

To turn off an unused JWS for a JRun server:

Open the JRun server's jrun.xml file.

Comment out the WebService service; for example:

...
<!-- <service class="jrun.servlet.http.WebService" name="WebService">
  <attribute name="port">8000</attribute>
</service>  -->

Alternatively, you can add a deactivated attribute and set it to true.

Restart the JRun server.

Host-based authentication for connectors

After you create a connection between a computer running JRun and another computer running a web server, you should ensure that unauthorized users cannot access the JRun server from elsewhere on the network. To this end, JRun provides host-based authentication for the JRun connector, meaning that only hosts from a defined set of addresses can send requests to the JRun server.

Using the External Web Server Connection Configuration panel of the JMC, you can specify which IP addresses can communicate with a particular JRun server. Use the IP Filter List field to specify a list of IP addresses that can access the JRun server. Only web servers located on those machines can send requests to the JRun server. Specify * to allow all web servers to send requests to JRun.

Note: The default setting is for JRun servers to accept requests from localhost only.

You can also make this setting in the jrun.xml file through the ProxyService. Use the interface attribute to specify the IP addresses, delimiting the addresses with a vertical bar (|).

Note: The protection provided by host-based authentication cannot stop attacks using IP spoofing or other man-in-the-middle techniques.

Using SSL with the web server connector

The web server connectors supports the use of secure sockets layer (SSL) between the web server and a JRun server. This is typically not necessary, since the web server is behind a firewall in most production configurations. However, for maximum security, you can use SSL with the web server connector.

To enable SSL for the web server connector, perform the following steps:

Generate a keystore using the following Java keytool command. For example:
```
keytool -genkey -dname "cn=<server name or IP address>, 
ou=JRunEngineering, o=Macromedia, L=Newton, ST=MA, C=US" 
-keyalg rsa -keystore <keystore name> 
```
When prompted, enter appropriate passwords that are six or more characters in length.
Rerun keytool to add certificates to the keystore.
Note: Note: In a production environment you would obtain a signed certificate from a certificate authority.
Open the jrun.xml file and set the ProxyService keyStore, keyStorePassword, and trustStore (optional) attributes to appropriate values. The keyStore and trustStore attributes should be the paths and filenames of the keystore and truststore files.
Download and build OpenSSL. The OpenSSL distribution is available at http://openssl.org in a tar.gz file. You must download the distribution and build it for your operating system based on the included installation instructions. Place the compiled OpenSSL code in a directory that is in your system path, such as jrun_root/servers/lib.
Open the web server connector configuration file (for example, jrun.ini, httpd.conf, or obj.conf) and set the ssl property to true.

Note: To use SSL with the JWS, enable the SSLService and set the keyStore, keyStorePassword, and trustStore attributes to appropriate values.

Comments

ForrestNg said on Apr 23, 2004 at 12:07 AM :

Is it mandatory to disable the JRun web server (JWS) when a web server connector is used?
For example, we enable the JWS port for localhost webservice conenction, and use the Apache Web Server with SSL for normal web client connection, will this configuration cause any problem?

We encounter JWS port blocking problem in an unexpected way, after our investigation, we find that the "web" thread (s) DISAPPEAR sometime after the server start.

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/jrun/4/JRun_Administrators_Guide/connectors7.htm

JRun Administrator's Guide
Web Server Connectors