Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
Security
User Guide
Rev B
OpenText™ StreamServe 5.6.2 Security User Guide
Rev B
Open Text SA
40 Avenue Monterey, Luxembourg, Luxembourg L-2163
Tel: +352 264566-1
Copyright ©2014 Open Text SA and/or Open Text ULC. All Rights Reserved.
Open Text is a trademark or registered trademark of Open Text SA and/or Open Text ULC. The list of trademarks is not
exhaustive of other trademarks, registered trademarks, product names, company names, brands and service names
mentioned herein are property of Open Text SA and/or Open Text ULC or other respective owners.
Disclaimer
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for
the accuracy of this publication.
3
Contents
Security tool
The Security tool lets you encrypt files that otherwise contain passwords in plain
text.
See Using the security tool on Windows on page 7 or Using the security tool on UNIX/
Linux on page 11.
To enable encryption support for StreamStudio, see Securing StreamStudio on
page 17.
You can use the key created by the Security tool as the Management
Gateway key. The following procedure is recommended:
1 Generate the key with the Security tool. Do not encrypt anything
yet with the key.
2 Replace the Management Gateway key.
3 If required, enable encryption support for StreamStudio.
4 If required, enable web service security including TCC.
5 Encrypt your system with the Security tool.
The security tool enables you to encrypt a set of XML files in your StreamServe
installation to ensure that passwords are not shown in clear text.
Note: Because you modify installed files using the tool, you may need
administrative privileges on Windows 7 and 2008.
Preparations
Stop all applications in the application domains, for example StreamServer,
Service Gateway etc.
Note: The Management Nanny and Gateway are automatically restarted by the
security tool.
After you have run the script using the -genkey parameter, it is
important to store the key in a secure location. We recommend you to
generate the key as a file (using file:// protocol), rather than just an
alias name, and store the file on a secure medium. Then you refer to the
file at its secure location when encrypting/decrypting.
It is important that you do not loose the key, or overwrite it by
generating a new key with the same path and name, as that would
make it impossible to decrypt the files when needed.
If you already have PFX files that you e.g. used to secure the service
gateway communication with StreamStudio through TCC, you can use
any of these files to encrypt files with the security tool, and you do not
have to generate a new one with the -genkey parameter.
Note: If the script fails to enable security, the script will automatically
perform a rollback. This is similar to running the script again
with the -disable parameter.
Strssecureinstall parameters
Strssecureinstall parameters
To enable security
1 Stop any running applications in the application domains on the system
you want to secure.
2 In a command line tool, browse to <StreamServe installation>
\Applications\StrsKeyTool\<Version>\bin
3 Run the following command:
strssecureinstall -genkey -alias "file://<path to PFX file to
generate>" -keypass "<password of your choice>" [-dname
"Distinguised Name"] [-verbose]
4 For each StreamServe installation to secure, run the following command:
strssecureinstall -enable -alias "file://<path to the generated
PFX file>" -keypass "<password used when generating key>"
[-verbose]
5 In Control Center, right-click the application domain and select Update
Application Domain File.
6 Right-click the application domain and select Restart All Applications.
Note: If you restart the applications from a command line, you must use the
-keyalias parameter instead of the -alias parameter. If password was
used when creating the key, the -keypass parameter must also be
provided.
To disable security
1 Stop any running applications in the application domains on the system
you want to secure.
2 In a command line tool, browse to <StreamServe installation>
\Applications\StrsKeyTool\<Version>\bin
3 Run the following command:
strssecureinstall -genkey -alias "file://<path to PFX file to
generate>" -keypass "<password of your choice>" [-dname
"Distinguised Name"] [-verbose]
4 For each StreamServe installation to decrypt, run the following command:
strssecureinstall -disable -alias "file://<path to the PFX file
used when encrypting the system>" -keypass "<password used when
enabling security>" [-verbose]
Example 2 Generating a key with an alias name, and exporting the key to a file
The security tool enables you to encrypt a set of XML files in your StreamServe
installation to ensure that passwords are not shown in clear text. In addition, the
.operatorInput file located in the StreamServe installation root folder is
encrypted.
Preparations
Stop all applications in the application domains, for example StreamServer,
Service Gateway etc.
Note: The Management Nanny and Gateway are automatically restarted by the
security tool.
After you have run the script with the -genkey parameter, it is
important that you store the key in a secure location. We recommend
you to generate the key as a file (using file:// protocol), rather than
just an alias name, and store the file on a secure medium. Then you refer
to the file at its secure location when encrypting/decrypting.
It is important that you do not loose the key, or overwrite it by
generating a new key with the same path and name, as that would
make it impossible to decrypt the files when needed.
If you already have PFX files that you e.g. used to secure the service
gateway communication with StreamStudio through TCC, you can use
any of these files to encrypt files with the security tool, and you do not
have to generate a new one with the -genkey parameter.
Strssecureinstall parameters
Strssecureinstall parameters
To enable security
1 Stop all applications in the application domains, for example StreamServer,
Service Gateway etc.
2 Browse to <StreamServe installation>
3 Run the following command:
./streamserve strssecureinstall -genkey -alias "file://
<absolute path to PFX file to generate>" -keypass "<password of
your choice>"
[-dname "Distinguised name"] [-verbose]
4 For each StreamServe installation to secure, run the following command:
./streamserve strssecureinstall -enable -alias "file://
<absolute path to the generated PFX file>" -keypass "<password
used when generating key>" [-verbose]
5 Update the application domain information file and restart all services,
either from a Windows machine with Control Center or by using the
command line utilities.
Note: If you restart the applications from a command line, you must use the
-keyalias parameter instead of the -alias parameter. If a password was
used when creating the key, the -keypass parameter must also be
provided.
5 Update the application domain information file and restart all services,
either from a Windows machine with Control Center or by using the
command line utilities.
Note: If you restart the applications from a command line, you must use the -
keyalias parameter instead of the -alias parameter. If password was
used when creating the key, the -keypass parameter must also be
provided.
To disable security
1 Stop all applications in the application domains, for example StreamServer,
Service Gateway etc.
2 Browse to <StreamServe installation>
3 Run the following command:
./streamserve strssecureinstall -genkey -alias "file://
<absolute path to PFX file to generate>" -keypass "<password of
your choice>"
[-dname "Distinguised name"] [-verbose]
4 For each StreamServe installation to decrypt, run the following command:
./streamserve strssecureinstall -disable -alias "file://
<absolute path to the PFX file used when encrypting the system>"
-keypass "<password used when enabling security>" [-verbose]
5 Update the application domain information file and restart all services,
either from a Windows machine with Control Center or by using the
command line utilities.
Note: If you restart the applications from a command line, you must use the
-keyalias parameter instead of the -alias parameter. If password was
used when creating the key, the -keypass parameter must also be
provided.
Example 5 Generating a key with an alias name, and exporting the key to a file
Securing StreamStudio
When you have encrypted your system with the Security tool, you can secure the
StreamStudio installation by manually configuring encryption support. You
must:
• Edit the security.properties file that you have deployed the
StreamStudio package to (e.g. the .sca or .war file).
• Specify a password on the service run by your Java application server, for
example, the NetWeaver or Tomcat service.
Note: If you do not manage your StreamStudio portal from Control Center, you
can either copy the territory.xml file from your service gateway
working directory, or manually encrypt the territory.xml file. See
Manually encrypting application domain information on page 21.
Specifying alias
You only need to edit this property if you have more than one key listed in your
PFX file.
The property to edit is found in the #Keystore section.
If you have more than one key in the PFX file, you must specify the alias of the
key to use. The alias is the sequence number of the key in the PFX file. To find the
sequence number, see To retrieve the sequence number of a specific key on page 19.
• Edit the following line to point to the alias name of the key.
strs.domainloader.alias=null
This means you must replace null with the key alias, i.e the sequence
number. For example:
strs.domainloader.alias=2
To generate a key
Browse to <StreamServe installation>
\Applications\StrsKeyTool\<Version>\bin and run the following
command:
strskeytool -genkey -alias <keyname> -keypass <password> [-dname
<domain name>]
To encrypt a file
Run the following command:
strskeytool -encrypt -alias <keyname> -keypass <password> -in
<territory.xml to encrypt> -out <encrypted territory file>
To decrypt a file
Run the following command:
strskeytool -decrypt -alias <keyname> -keypass <password> -in
<territory.xml to decrypt> -out <decrypted territory file>
Lost key
If you no longer have access to the key that you used to encrypt your StreamServe
installation, you will not be able to decrypt files or restart your StreamServe
applications.
Solution on Windows
1 Run the security tool with the -disable command. See To disable security on
page 9. At this stage, it does not matter what you specify as -alias and
-keypass as you only need to disable the management gateway startup
arguments.
2 From your backup, restore the following original files
• mgwconnections.xml
• mgmgateway.xml
In the following directory:
<StreamServe installation>\Applications\Management\<Version>
And:
trustedcommunications.xml (if you use it)
In the following directory:
<StreamServe installation>\Platform\Core\<Version>\bin
And:
• enterpriserepository.xml
In the following directory:
<Management_gateway_root>\<Version>\root\securityprofiles
Solution on UNIX/Linux
1 Run the security tool with the -disable command. See To disable security on
page 9. At this stage, it does not matter what you specify as -alias and
-keypass as you only need to disable the management gateway startup
arguments.
2 From your backup, restore the original mgwconnections.xml and
mgmgateway.xml files in the following directory:
<StreamServe installation>/Applications/Management
3 In Control Center on a Windows machine, right-click the application
domain and select Update Domain Information Files, or use the command
line utilities for the corresponding function.
4 Right-click the application domain and select Restart All Applications, or use
the command line utilities for the corresponding function.
5 Generate a new key and re-run the encryption. See Using the security tool on
UNIX/Linux on page 11.
Solution Windows
1 Run the security tool with the -disable command. See To disable security on
page 9.
2 Enable security with correct parameters, see To enable security on page 9.
Solution UNIX
1 Run the security tool with the -disable command. See To disable security on
page 14.
2 Enable security with correct parameters, see To enable security on page 13.
Solution
You must download and install the files enabling unlimited jurisdiction strength
policy for the Java Cryptography Extension provider (Oracle JRE or IBM JRE).
Solution
Use NetWeaver Developer Studio to deploy the updated .sca package to the
application server. Follow the instructions in OpenText StreamServe Web
applications on SAP NetWeaver Application Server Installation Instructions and make
sure you select the Deployment perspective and Update strategy to update
components with lower version numbers.
You can replace the certificate files used by the management gateway and service
gateway. For example, when you have renewed a certificate file.
If you replace a certificate file, the new certificate must have the same name as the
old certificate.
The certificate files are located in the following directories.
Certificate Location
If the company stores their user profiles in OpenText Directory Services (OTDS),
you can enable authentication for Ad Hoc Correspondence, Correspondence
Reviewer, and Document Broker Query (DBQ) Tool.
When the authentication is enabled and a user tries to access a web application,
the user is redirected to the OTDS log on page. Only authorized users from the
OTDS directory are allowed to access the application.
Single-sign on is supported via OTDS Tickets.
Prerequisites
• In the application domains, the user directory must be configured with
OTDS. For more information, see Configuring user directories with OTDS in
Control Center User Guide.
Post requisites
When the configuration is done, you must:
• Restart the SSSP application for the changes to take effect.
• Assign roles to the Ad Hoc, Reviewer, and DBQ Tool users in StreamStudio
Administrator. For Ad Hoc and Reviewer, you must also set access rights to
the applications for the roles. For the DBQ Tool, you do not need to set
access rights as this application is already accessible for all roles.
• For security reasons, we recommend that you use HTTPS when accessing
StreamServe web applications.
In this section
• Specifying a user for web service security on page 34
• Setting up Trusted Communication Channels on page 35
Prerequisites
• Web service security must be enabled in Control Center. See OpenText
StreamServe Control Center User Guide.
• The credentials (UID and password) to be used for authentication must be
available. For example, the credentials of the application domain
administrator.
Post requisites
• When using web service security, we recommend that you encrypt the
communication by setting up a Trusted Communication Channel (TCC).
See Setting up Trusted Communication Channels on page 35.
To send encrypted information using a TCC, both the sender and the receiver
must consider each other being trusted entities. Each entity (service gateway,
StreamStudio, and the SSSP application) must therefore include a PrivateStore
and a TrustStore. The PrivateStore is a KeyStore that contains the private key for
the specific entity and a certificate chain. The TrustStore is a Java KeyStore that
contains the certificates from the entities to be trusted.
How to set up a TCC is largely depending on the environment, for example the
operational system, JVM (Java Virtual Machine), protocols, and certificates used.
You should not set up a TCC unless having a good working knowledge
in PKI (Public Key Infrastructure) and in the components used in your
environment.
Post requisites
After you have set up the required TCCs, you may have to restart the Java
application server for the changes to take effect.
In this section
• Issuing a root certificate on page 36
• Issuing PrivateStores on page 36
• Issuing TrustStores on page 37
• Configuring a TCC for the service gateway on page 38
• Configuring a TCC for the StreamStudio portal on page 40
• Configuring a TCC for the SSSP application on page 41
• Troubleshooting on page 43
Issuing PrivateStores
When you set up the TCCs, you must specify the PrivateStores for the senders
and the receivers. A PrivateStore is a KeyStore that contains the private key for
the specific entity and a certificate chain.
• In a testing or development environment, you can issue your own
PrivateStores (with certificates and private keys) based on the self-signed
certificate. For example, by using the OpenSSL cryptography library.
• In a production environment, it is recommended to use PrivateStores
issued by a CA (Certified Authority), for example by VeriSign.
Issuing TrustStores
You must issue the TrustStores that includes the service gateway(s) to be trusted
by the StreamStudio portal and the SSSP application. In the TrustStores, you must
also include the root certificate. The TrustStores must be Java KeyStores (*.jks).
You can create TrustStores using a keytool utility provided by the Java vendor.
For example, if you use a JVM from Oracle, you can use the Oracle keytool utility.
For more information, see the user documentation from the Java vendor.
Prerequisites
In the procedures, the certificates mentioned in Issuing a root certificate on page 36
and Issuing PrivateStores on page 36 are used.
Post requisites
After the TCC is configured for the service gateway, you must restart the service
gateway.
To specify certificates
1 Open the following file:
• Windows:
<StreamServe installation>\Platform\Core\<Version>\bin\
trustedcommunicationchannel.xml
• UNIX:
<StreamServe installation>/platform/
trustedcommunicationchannel.xml
2 Add the certificates to the following lines:
<container type="http://schemas.streamserve.com/uid/component/
trustedcertificateauthorities/1.0">
<files>
<file href="ca_strs.crt" />
</files>
</container>
<container type="http://schemas.streamserve.com/uid/component/
trustedpeers/1.0">
<files>
<file href="studio.crt" />
<file href="sssp.crt" />
</files>
</container>
...
<container type="http://schemas.streamserve.com/uid/component/
privatekeys/1.0">
<files>
<file href="sgw1.p12" password="strs01" />
</files>
</container>
3 Optional - To switch from SSL to TLS, un-comment the TLS protocol
configuration in the following line:
<!-- <protocol type="http://schemas.streamserve.com/uid/
resource/securesocketchanneltls/1.0"/> -->
and comment out the SSLv3 protocol configuration in the following line:
<protocol type="http://schemas.streamserve.com/uid/resource/
securesocketchannelssl/3.0"/>
Note: The TLS configuration above enables TLSv1.0, TLSv1.1, and TLSv1.2.
The protocol version used by the calling application decides the
version.
Prerequisites
• In the Application Domain Editor, https:// must be used in the URL to
the service gateway. See OpenText StreamServe Control Center User Guide.
• In the procedures, the PrivateStore and TrustStore mentioned in Issuing
PrivateStores on page 36 and Issuing TrustStores on page 37 are used.
# -- PrivateStore --
ws.https.privatestore.url=file:<PrivateStore_file_path>
ws.https.privatestore.type=PKCS12
# ws.https.privatestore.password can and should be defined as
a JVM parameter
ws.https.privatestore.password=null
# -- TrustStore --
ws.https.truststore.url=file:<TrustStore_file_path>
ws.https.truststore.type=JKS
# ws.https.truststore.password can and should be defined as
a JVM parameter
ws.https.truststore.password=null
To enable security
1 Open the following file:
<Portal root>\<StreamStudio>\WEB-INF\spring\spring.xml
For example, for Apache Tomcat:
<TOMCAT_HOME>\webapps\<StreamStudio>\WEB-INF\spring\
spring.xml
2 Add the following line:
<import resource="ws-security.xml"/>
3 Save and close the file.
4 Restart the StreamStudio portal.
Prerequisites
• In the Application Domain Editor, https:// must be used in the URL to
the service gateway. See OpenText StreamServe Control Center User Guide.
• In the procedures, the PrivateStore and TrustStore mentioned in Issuing
PrivateStores on page 36 and Issuing TrustStores on page 37 are used.
You can instead specify the passwords in the ws.properties as below, but we
recommend you to specify them on the service to avoid plain text passwords in
the file system. If you specify passwords in both places, the passwords specified
as startup parameters override the file settings.
Note: Separate start parameters with a space character.
# -- KeyStore --
ws.https.keystore.url=file:<KeyStore_file_path>
ws.https.keystore.type=PKCS12
# ws.https.keystore.password can and should be defined as
a JVM parameter
ws.https.keystore.password=null
# -- TrustStore --
ws.https.truststore.url=file:<TrustStore_file_path>
ws.https.truststore.type=JKS
# ws.https.truststore.password can and should be defined as
a JVM parameter
ws.https.truststore.password=null
To enable security
1 Open the following file:
<Portal root>\sssp\WEB-INF\spring\application-context.xml
For example, for Apache Tomcat:
<TOMCAT_HOME>\webapps\sssp\WEB-INF\spring\
application-context.xml
2 Un-comment the following line:
<!-- <import resource="ws-security.xml"/> -->
3 Save and close the file.
4 Restart the SSSP application.
Troubleshooting
When setting up a TCC, you find useful information in the service gateway logs,
displayed in Control Center. For information on how to enable debug mode, see
OpenText StreamServe Control Center User Guide.
You can also check the following log files for error information (Windows
example):
• <Java application server_HOME>\logs\streamstudio.log
• <Java application server_HOME>\logs\sssp.log
You can extend the log level and use debug mode for StreamStudio and the SSSP
application.
Solution
You must download and install the files enabling unlimited jurisdiction strength
policy for the Java Cryptography Extension provider (Oracle JRE or IBM JRE).