search cancel

Recommendations for Business Service Insight Hardening

book

Article ID: 41723

calendar_today

Updated On:

Products

CA Business Service Insight

Issue/Introduction

The following is a basic set of hardening guidelines for Business Service Insight. This list is by no means complete.

Environment

Release: GATBIL05900-8.3-Business Service Insight-Business Intelligence Layer-(RDL)
Component:

Resolution

The Oblidbadmin account is only needed for upgrading Business Service Insight and installation of patches. So you may disable/enable this account as and when required. 

For websites please see steps below; these detailed instructions can also be found in the BSI Admin Guide under header “Enable Content Transfer for SSL”

Configure the JBOSS Server

Valid for JBOSS 7.1.1

  1. Edit %JBOSS_HOME%\ standalone\configuration\standalone-full-ACE2.xml.
    1. Specify the information for the connector inside subsystem tag urn:jboss:domain:web:1.1. The SSL tag attributes differ according to the type of the SSL certificate. The following example is for the TLSv1 SSL protocol:

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

   <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">

    <ssl name="SSL_NAME" password="SSL_PASSWORD" protocol="TLSv1" key-alias="SSL_ALIAS" certificate-key-file="${jboss.server.config.dir}/key.keystore" />

   </connector>

  ...

</subsystem>

Note: For the key file path, use either the absolute path or the system properties. The default location is $JBOSS_HOME/standalone

    1. Specify the socket binding name for https:

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">

<socket-binding name="https" port="8443"/>

</socket-binding-group>

  1. Edit %JBOSS_HOME%\standalone\configuration\standalone-full-Oblisync.xml, and repeat the changes from step one.
  2. Validate that https and http are enabled inside the policy tag in the clientaccesspolicy.xml file that is located in the JBOSS7\welcome-content folder:

<?xml version="1.0" encoding="utf-8"?> 

<access-policy>

  <cross-domain-access>

    <policy>

      <allow-from http-request-headers="*">

                <domain uri="http://*" />

                <domain uri="https://*" />

      </allow-from>

      <grant-to>

        <resource path="/" include-subpaths="true"/>

      </grant-to>

    </policy>

  </cross-domain-access>

</access-policy>

Configure IIS

  1. Add SSL binding to the CA Business Service Insight website with the SSL certificate.
    Use the following settings:
    • Type: https
    • IP address: All Unassigned
    • Port: 443
    • SSL certificate: YDICert
  2. Click SSL settings on the web site, and select Require SSL.
  3. Clear Require SSL for the following folders:
    • \ObliSync\API
    • \ObliSync\Metadata_Jobs
    • \SilverlightInfrastructureServices

Configure the Website

  1. On the Web Server, navigate to %Web Site Root%\SilverlightInfrastructureServices.
  2. Rename web.config to web.config.http.
  3. Rename web.config.https to web.config.
    The Content Transfer Wizard is enabled.

 

For ACE2, you can disable tomcat on the APP server.

With regards to firewalls please reference “Admin Guide” https://docops.ca.com/ca-business-service-insight/8-3-5/en/installation/communication-protocols-overview