Recommendations for CA Business Service Insight Hardening
search cancel

Recommendations for CA Business Service Insight Hardening

book

Article ID: 41723

calendar_today

Updated On:

Products

CA Business Service Insight

Issue/Introduction

The following is a basic set of hardening guidelines for CA Business Service Insight (this list is by no means complete).

Environment

CA Business Service Insight 8.3.x

Resolution

Configure the JBOSS Server

Valid for JBOSS 7.1.1

  1. Edit %JBOSS_HOME%\ standalone\configuration\standalone-full-ACE2.xml

a. Specify the information for the connector inside subsystem tag urn:jboss:domain:web:1.1. The SSL tag attributes differ according to the type of the SSL certificate. The following example is for the TLSv1 SSL protocol:

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

   <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">

    <ssl name="SSL_NAME" password="SSL_PASSWORD" protocol="TLSv1" key-alias="SSL_ALIAS" certificate-key-file="${jboss.server.config.dir}/key.keystore" />

   </connector>

  ...

</subsystem>

Note: For the key file path, use either the absolute path or the system properties. The default location is $JBOSS_HOME/standalone

b. Specify the socket binding name for HTTPS

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">

<socket-binding name="https" port="8443"/>

</socket-binding-group>

  1. Edit %JBOSS_HOME%\standalone\configuration\standalone-full-Oblisync.xml, and repeat the changes from step one.
  2. Validate that https and http are enabled inside the policy tag in the clientaccesspolicy.xml file that is located in the JBOSS7\welcome-content folder:

<?xml version="1.0" encoding="utf-8"?> 

<access-policy>

  <cross-domain-access>

    <policy>

      <allow-from http-request-headers="*">

                <domain uri="http://*" />

                <domain uri="https://*" />

      </allow-from>

      <grant-to>

        <resource path="/" include-subpaths="true"/>

      </grant-to>

    </policy>

  </cross-domain-access>

</access-policy>

Configure IIS

  1. Add SSL binding to the CA Business Service Insight website with the SSL certificate using the following settings:
    • Type: https
    • IP address: All Unassigned
    • Port: 443
    • SSL certificate: YDICert
  2. Click SSL settings on the web site, and select Require SSL.
  3. Clear Require SSL for the following folders:
    • \ObliSync\API
    • \ObliSync\Metadata_Jobs
    • \SilverlightInfrastructureServices

Configure the Website

  1. On the Web Server, navigate to %Web Site Root%\SilverlightInfrastructureServices
  2. Rename web.config to web.config.http.
  3. Rename web.config.https to web.config.

For ACE2, you can disable tomcat on the APP server.

With regards to firewalls please reference Communications Protocols Overview Documentation

  

Powered by Wolken Software