Portal Security

7/28/2019 Portal Security

1/14

VU#180876 - GE Fanuc Proficy Information Portal transmits authentication

credentials in plain text

CERT has reported a security issue with Proficy Portal, which could allow

intercepting the password of a user during the login process. To mitigate this issue,

configured Proficy Portal using one of the two following configuration options:

Integrated Windows Authentication

More information can be found in the Proficy Portal user documentation

under the topic Single Sign-On. Integrated Windows authentication

(formerly called NTLM, and also referred to as Windows NT

Challenge/Response authentication) is a secure form of authentication

because the user name and password are hashed before being sent across

the network. When you enable Integrated Windows authentication, the user's

browser proves its knowledge of the password through a cryptographic

exchange with your Web server, involving hashing.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Lib

rary/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true.

If domain security is being utilized, the easiest and perhaps most secure

method of transmitting username and password information is to enable

Windows Authentication within IIS. In this mode, IE and IIS will negotiate the

security mechanisms to use and automatically authenticate the user logged

into the machine running IE from the IIS server. No password is ever passed

between the two computers and therefore cannot be intercepted.

To enable IIS Windows Authentication, select the Properties page of the

Proficy Portal virtual directory web site within IIS.
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true


2/14

Select the Directory Security tab and then select the Edit buttonform Authentication and access control. Make sure you clear the

Enable anonymous access checkbox and select Integrated Windows

authentication


3/14

SSL Encryption

Windows Authentication is an easy and effective way to ensure that

authentication happens securely between the client and the server. If this is

not sufficient or your facility is not using domain user authentication, the

other option is to encrypt all traffic between the client and server over an

SSL (Secure Sockets Layer) connection. This will ensure that all network

messages are encrypted. This will include username and password

information along with all the data that is returned to populate displays. As a

result, there is a trade-off between security and performance.

Support has been added info Proficy Portal 2.5 to support the establishment

of secure connections between the client and server. This connection utilizes


4/14

the Secure Socket Layer (SSL) protocol to encrypt the messages during

travel across the network. SSL technology is dependent on the existence of

public/private keys to perform the encryption/decryption as well as a

certificate to authenticate that the keys are legitimate.

Default SSL port

SSL traffic uses a different port number then normal HTTP traffic. By default

this port is 443. Verify that the port number is set correctly by using the IIS

Manager and right-click on the web site, and select Properties.

CertificateIf a certificate does not already exist for the server, then a certificate needs

to be acquired from a Certificate Authority (CA) that is specific to the server


5/14

and supports SSL. These can be purchased from companies such as Verisign,

Thawte, etc.

Before Java RMI can be used with SSL, the certificate needs to be exported

from IIS and made available to the Proficy Portal. To do this, use the

certificate export wizard in the IIS Manager as follows:

Select the Directory Security tab from the web site properties page.


6/14

Press the View Certificate button under Secure communications.


7/14

Select Details and press the Copy To File button

This will start the Certificate Export wizard.


8/14


9/14

Hit the Next button to bring up the Export Private Key dialog.

The default is not to export the private key, however without it, the SSL

sockets in Java RMI cannot encrypt/decrypt the messages. Select Yes,

export the private key. This will require a password to be entered later in

the procedure. It is important that Proficy Portal to be aware of this passwordso it may access the keys. You will configure Proficy Portal to use the correct

file and password later.


10/14

Make sure PKCS#12 format file is selected

Enter a password and dont forget it, we will need it later.


11/14

Save the key material to a file somewhere on the server.


12/14

Select Finish when prompted at the final dialog to complete the export.


13/14

keyconfig

The certificate and its keys have now been exported to a PKCS#12 format

file. This file will be used by Proficy Portal as its keystore. For this to work,

Proficy Portal needs to know the location and name of the file, as well as thepassword you provided so it may actually load the contents of the file. To do

this, a utility is provided in the \webapps\infoAgentSrv\WEB-INF folder

called keyconfig.cmd. When it runs, it simply prompts for the name and

location of the exported file

(Make sure the location is a complete path and filename)


14/14

and the password used to access it.

This utility will create a file in the WEB-INF folder called .keyconfig. It

contains the name and location as well as password in an encrypted format.

This key is loaded at startup and used to access the actual keystore file.

Date post:	03-Apr-2018
Category:	Documents
Upload:	jediael-junior
View:	216 times
Download:	0 times

Portal Security

Documents