Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | jediael-junior |
View: | 216 times |
Download: | 0 times |
of 14
7/28/2019 Portal Security
1/14
VU#180876 - GE Fanuc Proficy Information Portal transmits authentication
credentials in plain text
CERT has reported a security issue with Proficy Portal, which could allow
intercepting the password of a user during the login process. To mitigate this issue,
configured Proficy Portal using one of the two following configuration options:
Integrated Windows Authentication
More information can be found in the Proficy Portal user documentation
under the topic Single Sign-On. Integrated Windows authentication
(formerly called NTLM, and also referred to as Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are hashed before being sent across
the network. When you enable Integrated Windows authentication, the user's
browser proves its knowledge of the password through a cryptographic
exchange with your Web server, involving hashing.
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Lib
rary/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true.
If domain security is being utilized, the easiest and perhaps most secure
method of transmitting username and password information is to enable
Windows Authentication within IIS. In this mode, IE and IIS will negotiate the
security mechanisms to use and automatically authenticate the user logged
into the machine running IE from the IIS server. No password is ever passed
between the two computers and therefore cannot be intercepted.
To enable IIS Windows Authentication, select the Properties page of the
Proficy Portal virtual directory web site within IIS.
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=truehttp://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true7/28/2019 Portal Security
2/14
Select the Directory Security tab and then select the Edit buttonform Authentication and access control. Make sure you clear the
Enable anonymous access checkbox and select Integrated Windows
authentication
7/28/2019 Portal Security
3/14
SSL Encryption
Windows Authentication is an easy and effective way to ensure that
authentication happens securely between the client and the server. If this is
not sufficient or your facility is not using domain user authentication, the
other option is to encrypt all traffic between the client and server over an
SSL (Secure Sockets Layer) connection. This will ensure that all network
messages are encrypted. This will include username and password
information along with all the data that is returned to populate displays. As a
result, there is a trade-off between security and performance.
Support has been added info Proficy Portal 2.5 to support the establishment
of secure connections between the client and server. This connection utilizes
7/28/2019 Portal Security
4/14
the Secure Socket Layer (SSL) protocol to encrypt the messages during
travel across the network. SSL technology is dependent on the existence of
public/private keys to perform the encryption/decryption as well as a
certificate to authenticate that the keys are legitimate.
Default SSL port
SSL traffic uses a different port number then normal HTTP traffic. By default
this port is 443. Verify that the port number is set correctly by using the IIS
Manager and right-click on the web site, and select Properties.
CertificateIf a certificate does not already exist for the server, then a certificate needs
to be acquired from a Certificate Authority (CA) that is specific to the server
7/28/2019 Portal Security
5/14
and supports SSL. These can be purchased from companies such as Verisign,
Thawte, etc.
Before Java RMI can be used with SSL, the certificate needs to be exported
from IIS and made available to the Proficy Portal. To do this, use the
certificate export wizard in the IIS Manager as follows:
Select the Directory Security tab from the web site properties page.
7/28/2019 Portal Security
6/14
Press the View Certificate button under Secure communications.
7/28/2019 Portal Security
7/14
Select Details and press the Copy To File button
This will start the Certificate Export wizard.
7/28/2019 Portal Security
8/14
7/28/2019 Portal Security
9/14
Hit the Next button to bring up the Export Private Key dialog.
The default is not to export the private key, however without it, the SSL
sockets in Java RMI cannot encrypt/decrypt the messages. Select Yes,
export the private key. This will require a password to be entered later in
the procedure. It is important that Proficy Portal to be aware of this passwordso it may access the keys. You will configure Proficy Portal to use the correct
file and password later.
7/28/2019 Portal Security
10/14
Make sure PKCS#12 format file is selected
Enter a password and dont forget it, we will need it later.
7/28/2019 Portal Security
11/14
Save the key material to a file somewhere on the server.
7/28/2019 Portal Security
12/14
Select Finish when prompted at the final dialog to complete the export.
7/28/2019 Portal Security
13/14
keyconfig
The certificate and its keys have now been exported to a PKCS#12 format
file. This file will be used by Proficy Portal as its keystore. For this to work,
Proficy Portal needs to know the location and name of the file, as well as thepassword you provided so it may actually load the contents of the file. To do
this, a utility is provided in the \webapps\infoAgentSrv\WEB-INF folder
called keyconfig.cmd. When it runs, it simply prompts for the name and
location of the exported file
(Make sure the location is a complete path and filename)
7/28/2019 Portal Security
14/14
and the password used to access it.
This utility will create a file in the WEB-INF folder called .keyconfig. It
contains the name and location as well as password in an encrypted format.
This key is loaded at startup and used to access the actual keystore file.