OpenText StreamServe 5.6.2 Security User Guide

OpenText™ StreamServe 5.6.
2
Security
User Guide
Rev B
OpenText™ StreamServe 5.6.2 Security User Guide
Rev B
Open Text SA
40 Avenue Monterey, Luxembourg, Luxembourg L-2163
Tel: +352 264566-1
Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1
Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: http://support.opentext.com
For more information, visit http://www.opentext.com
Copyright ©2014 Open Text SA and/or Open Text ULC. All Rights Reserved.
Open Text is a trademark or registered trademark of Open Text SA and/or Open Text ULC. The list of trademarks is not
exhaustive of other trademarks, registered trademarks, product names, company names, brands and service names
mentioned herein are property of Open Text SA and/or Open Text ULC or other respective owners.
Disclaimer
No Warranties and Limitation of Liability
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for
the accuracy of this publication.
3
Contents
About StreamServe Security....................................................................................... 5

Using the security tool on Windows .......................................................................... 7
Using the security tool on UNIX/Linux ..................................................................... 11
Securing StreamStudio.............................................................................................. 17
Editing the security file ......................................................................................................18
Editing the Java application service ..................................................................................20
Manually encrypting application domain information ........................................................21
Troubleshooting Security tool .................................................................................. 23
Lost key.............................................................................................................................23
Management Gateway does not start ...............................................................................24
Illegal key size...................................................................................................................24
Using NetWeaver JSPM to update StreamStudio.............................................................25
Management Gateway key......................................................................................... 27
Replacing certificate files .......................................................................................... 29
Enabling authentication for SSSP via OTDS ........................................................... 31
Web service security.................................................................................................. 33
Specifying a user for web service security ........................................................................34
Setting up Trusted Communication Channels...................................................................35
Issuing a root certificate............................................................................................ 36
Issuing PrivateStores................................................................................................ 36
Issuing TrustStores................................................................................................... 37
Configuring a TCC for the service gateway.............................................................. 38
Configuring a TCC for the StreamStudio portal........................................................ 40
Configuring a TCC for the SSSP application............................................................ 41
Troubleshooting........................................................................................................ 43
Illegal key size .................................................................................................. 43
OpenText™ StreamServe 5.6.2 Security User Guide Rev B

4

5
About StreamServe Security
This guide contains information on how to improve security on your

StreamServe installation:
Security tool
The Security tool lets you encrypt files that otherwise contain passwords in plain
text.
See Using the security tool on Windows on page 7 or Using the security tool on UNIX/
Linux on page 11.
To enable encryption support for StreamStudio, see Securing StreamStudio on
page 17.
Replace the default Management Gateway key

The default Management Gateway key is identical for every StreamServe
installation. It is therefore recommended to replace this with your own key.
See Management Gateway key on page 27.
You can use the key created by the Security tool as the Management
Gateway key. The following procedure is recommended:
1 Generate the key with the Security tool. Do not encrypt anything
yet with the key.
2 Replace the Management Gateway key.
3 If required, enable encryption support for StreamStudio.
4 If required, enable web service security including TCC.
5 Encrypt your system with the Security tool.
Replacing certificate files

You can replace the certificate files for Management Gateway and Service
Gateway.
See Replacing certificate files on page 29.
Enable web service security and TCC

You can specify that all web service requests to the service gateway are
authenticated with the credentials of the user logged in. You can also set up TCC
for this communication.
See Web service security on page 33.

6
About StreamServe Security

7
Using the security tool on Windows
The security tool enables you to encrypt a set of XML files in your StreamServe
installation to ensure that passwords are not shown in clear text.
Note: Because you modify installed files using the tool, you may need
administrative privileges on Windows 7 and 2008.
Preparations
Stop all applications in the application domains, for example StreamServer,
Service Gateway etc.
Note: The Management Nanny and Gateway are automatically restarted by the
security tool.
Running the security tool

To encrypt files, you must
• Have access to a PFX key. You can generate a key using the
strssecureinstall.bat script.
• Encrypt the files with the key by running the strssecureinstall.bat
script.
• Update domain information and restart applications.
The parameters to use with the script are listed in the table below. The script is
installed in:
<StreamServe installation>\Applications\StrsKeyTool\<Version>\bin
For examples of how to use the tool, see Examples of running the script on page 10.
To enable security in StreamStudio, see Securing StreamStudio on page 17.
After you have run the script using the -genkey parameter, it is
important to store the key in a secure location. We recommend you to
generate the key as a file (using file:// protocol), rather than just an
alias name, and store the file on a secure medium. Then you refer to the
file at its secure location when encrypting/decrypting.
It is important that you do not loose the key, or overwrite it by
generating a new key with the same path and name, as that would
make it impossible to decrypt the files when needed.
If you already have PFX files that you e.g. used to secure the service
gateway communication with StreamStudio through TCC, you can use
any of these files to encrypt files with the security tool, and you do not
have to generate a new one with the -genkey parameter.
Note: If the script fails to enable security, the script will automatically
perform a rollback. This is similar to running the script again
with the -disable parameter.

8
Strssecureinstall parameters
-genkey Generates a key with a name specified in the -alias

parameter and (optionally) password protected via the
-keypass parameter. You use this key to encrypt and
decrypt the files. If the specified alias name already
exists, the script will stop. You can use the -force
parameter to overwrite the file.
-keysize Use this together with -genkey to control the private key
size. Specify a byte length as argument. Default is 2048.
-validity Use this together with -genkey to control the validity of
the key. Specify a number of days as argument. Default
is 7300.
-force Use this together with -genkey or -export. If the file
already exists, this parameter lets you overwrite the
existing file.
-alias The alias for the key. You can use the file:// protocol
prefix to specify the key path and file name, or you can
specify an alias name for the key. If you specify an alias
name, you can export the key to a file with the -export
and -keyfile parameters.
Note: Specify an absolute path to the key file. The folder
where you create the file must exist.
-keyalias Use this instead of -alias when restarting the
encrypted application from a command line.
Note: You must also supply the-keypass parameter if a
password was used when generating the key.
-keypass A password for the key. Due to a PKCS12 KeyStore issue
in the Java Runtime Environment, this parameter is
mandatory if you run a StreamStudio portal in your
application domain. If you do not use StreamStudio, it is
optional, but should be used for increased protection of
the key itself.
-dname Optionally, you can specify a distinguished name that is
included in the key.
-enable Enables security on the StreamServe installation.
Note: If files already are encrypted, they will not be
encrypted again.
-disable Disables the security of the system and restores the
original configuration.

9
-export Exports a key with a specified alias to a file. The file to

export to is specified with the -keyfile parameter.
If the specified alias name already exists, the script will
stop. You can use the -force parameter to overwrite the
file.
-keyfile The name of the file created using the -export
parameter.
-verbose Enables detailed output.
-? Displays help text with examples.
To enable security
1 Stop any running applications in the application domains on the system
you want to secure.
2 In a command line tool, browse to <StreamServe installation>
\Applications\StrsKeyTool\<Version>\bin
3 Run the following command:
strssecureinstall -genkey -alias "file://<path to PFX file to
generate>" -keypass "<password of your choice>" [-dname
"Distinguised Name"] [-verbose]
4 For each StreamServe installation to secure, run the following command:
strssecureinstall -enable -alias "file://<path to the generated
PFX file>" -keypass "<password used when generating key>"
[-verbose]
5 In Control Center, right-click the application domain and select Update
Application Domain File.
6 Right-click the application domain and select Restart All Applications.
Note: If you restart the applications from a command line, you must use the
-keyalias parameter instead of the -alias parameter. If password was
used when creating the key, the -keypass parameter must also be
provided.
To disable security
1 Stop any running applications in the application domains on the system
you want to secure.
2 In a command line tool, browse to <StreamServe installation>
\Applications\StrsKeyTool\<Version>\bin
strssecureinstall -genkey -alias "file://<path to PFX file to
generate>" -keypass "<password of your choice>" [-dname
"Distinguised Name"] [-verbose]
4 For each StreamServe installation to decrypt, run the following command:
strssecureinstall -disable -alias "file://<path to the PFX file
used when encrypting the system>" -keypass "<password used when
enabling security>" [-verbose]

10

6 Right-click the application domain and select Restart All Applications.
provided.
To change keys used for encryption

If you want to use another key than the one you used to encrypt your installation,
you must first disable security on the installation, and then enable security with
the new key.
Examples of running the script
Example 1 Generating a key and encrypting the files
The following command creates a key stored in c:\testkey.pfx

strssecureinstall -genkey -alias "file://c:\testkey.pfx" -keypass
"mypass"
The following command uses the generated key to encrypt the files. You can use
the key on all StreamServe installations that you want to secure. In this example,
the management gateway on localhost, port 28000, with a CA certificate in the
default location, is invoked with the Administrator user and password
admin_pass. The management nanny and gateway are automatically restarted
after encryption:
strssecureinstall -enable -alias "file://c:\testkey.pfx" -keypass
"mypass"
Example 2 Generating a key with an alias name, and exporting the key to a file
The following command creates a key stored with alias testkey:

strssecureinstall -genkey -alias "testkey" -keypass "mypass"
The key is exported to a file called testkey.pfx.
strssecureinstall -export -alias "testkey" -keypass "mypass"
-keyfile "testkey.pfx"
Example 3 Disabling security for a system
The following example disables the security by decrypting files, removing

startup arguments, and restarting the management nanny and gateway.
strssecureinstall -disable -alias "file://c:\testkey.pfx" -keypass
"mypass"

11
Using the security tool on UNIX/Linux
The security tool enables you to encrypt a set of XML files in your StreamServe
installation to ensure that passwords are not shown in clear text. In addition, the
.operatorInput file located in the StreamServe installation root folder is
encrypted.
Preparations
Stop all applications in the application domains, for example StreamServer,
Note: The Management Nanny and Gateway are automatically restarted by the
security tool.
Running the security tool

To encrypt the files, you must:
• Have access to a PFX key. You can generate a key using the
strssecureinstall.bat script.
• Encrypt the files with the key by running the strssecureinstall.bat
script.
• Update domain information and restart applications.
The parameters to use are listed in the table below. The tool is installed in:
<StreamServe installation>/applications/strssecureinstall
For examples of how to use the tool, see Examples of running the tool on page 14.
To enable security in StreamStudio, see Securing StreamStudio on page 17.
After you have run the script with the -genkey parameter, it is
important that you store the key in a secure location. We recommend
you to generate the key as a file (using file:// protocol), rather than
just an alias name, and store the file on a secure medium. Then you refer
to the file at its secure location when encrypting/decrypting.
It is important that you do not loose the key, or overwrite it by
generating a new key with the same path and name, as that would
make it impossible to decrypt the files when needed.
If you already have PFX files that you e.g. used to secure the service
gateway communication with StreamStudio through TCC, you can use
any of these files to encrypt files with the security tool, and you do not
have to generate a new one with the -genkey parameter.

12
-genkey Generates a key with a name specified in the -alias

parameter and (optionally) password protected via the
-keypass parameter. You use this key to encrypt the
files. If the specified alias name already exists, the script
will stop. You can use the -force parameter to overwrite
the file.
-keysize Use this together with -genkey to control the private key
size. Specify a byte length as argument. Default is 2048.
-validity Use this together with -genkey to control the validity of
the key. Specify a number of days as argument. Default
is 7300.
-force Use this together with -genkey or -export. If the file
already exists, this parameter lets you overwrite the
existing file.
-alias The alias for the key. You can use the file:// protocol
prefix to specify the key path and file name, or you can
specify an alias name for the key. If you specify an alias
name, you can export the key to a file with the -export
and -keyfile parameters.
Note: Specify an absolute path to the key file. The folder
where you create the file must exist.
-keyalias Use this instead of -alias when restarting the
encrypted application from a command line.
Note: You must also supply a -keypass parameter if a
password was used when generating the key.
-keypass A password for the key. Due to a PKCS12 KeyStore issue
in the Java Runtime Environment, the parameter is
mandatory if you run a StreamStudio portal in your
application domain. If you do not use StreamStudio, it is
optional, but should be used for increased protection of
the key.
-dname Optionally, you can specify a distinguished name that is
included in the key.
-enable Enables security for the StreamServe installation.
Note: If files already are encrypted, they will not be
encrypted again.
-disable Disables the security in the StreamServe installation and
restores the original configuration.

13
-export Exports a key with a specified alias to a file. The file to

export to is specified with the -keyfile parameter.
If the specified alias name already exists, the script will
stop. You can use the -force parameter to overwrite the
file.
-keyfile The name of the file created using the -export
parameter.
-verbose Enables detailed output.
-? Displays help text with examples.
To enable security
1 Stop all applications in the application domains, for example StreamServer,
2 Browse to <StreamServe installation>
./streamserve strssecureinstall -genkey -alias "file://
<absolute path to PFX file to generate>" -keypass "<password of
your choice>"
[-dname "Distinguised name"] [-verbose]
./streamserve strssecureinstall -enable -alias "file://
<absolute path to the generated PFX file>" -keypass "<password
used when generating key>" [-verbose]
5 Update the application domain information file and restart all services,
either from a Windows machine with Control Center or by using the
command line utilities.
-keyalias parameter instead of the -alias parameter. If a password was
provided.
To enable security by using a file reference to the password

Service Gateway, etc.
2 Browse to the <StreamServe installation> directory.
<absolute path to PFX file to generate>" -keypass "file://
<absolute path to password file>" [-dname "<Distinguished
name>"] [-verbose]
./streamserve strssecureinstall -enable -alias "file://
<absolute path to the generated PFX file>" -keypass "file://
<absolute path to password file>" [-verbose]

14
Note: If you restart the applications from a command line, you must use the -
keyalias parameter instead of the -alias parameter. If password was
provided.
To disable security
2 Browse to <StreamServe installation>
<absolute path to PFX file to generate>" -keypass "<password of
your choice>"
[-dname "Distinguised name"] [-verbose]
4 For each StreamServe installation to decrypt, run the following command:
./streamserve strssecureinstall -disable -alias "file://
<absolute path to the PFX file used when encrypting the system>"
-keypass "<password used when enabling security>" [-verbose]
provided.
To change keys used for encryption

If you want to use another key than the one you used to encrypt your installation,
you must first disable security on the installation, and then enable security with
the new key.
Examples of running the tool
Example 4 Generating a key and encrypting the files
The following command creates a key stored in /opt/streamserve/

testkey.pfx
./streamserve strssecureinstall -genkey -alias
"file:///opt/streamserve/testkey.pfx" -keypass "mypass"
The following command uses the generated key to encrypt the files. You can use
the key on all StreamServe installations that you want to secure.
./streamserve strssecureinstall -enable -alias

15
Example 5 Generating a key with an alias name, and exporting the key to a file
The following command creates a key stored with alias testkey:

./streamserve strssecureinstall -genkey -alias "testkey" -keypass
"mypass"
The key is exported to a file called testkey.pfx.
./streamserve strssecureinstall -export -alias "testkey" -keypass
"mypass" -keyfile "testkey.pfx"
Example 6 Disabling security on a management gateway
The following example disables the security by decrypting files, removing

startup arguments, and restarting the management nanny and gateway.
./streamserve strssecureinstall -disable -alias

16

17
Securing StreamStudio
When you have encrypted your system with the Security tool, you can secure the
StreamStudio installation by manually configuring encryption support. You
must:
• Edit the security.properties file that you have deployed the
StreamStudio package to (e.g. the .sca or .war file).
• Specify a password on the service run by your Java application server, for
example, the NetWeaver or Tomcat service.
Note: If you do not manage your StreamStudio portal from Control Center, you
can either copy the territory.xml file from your service gateway
working directory, or manually encrypt the territory.xml file. See
Manually encrypting application domain information on page 21.

18 Editing the security file
Editing the security file

Location of the security.properties file
The following are examples where the file is located after deployment:
• NetWeaver on Windows
c:\usr\sap\<SYSID>\J<SYSNR>\j2ee\cluster\apps\sap.com\
<StreamStudio Software Component>\servlet_jsp\streamstudio\root
\WEB-INF\spring\properties
• NetWeaver on UNIX/Linux
/usr/sap/<SYSID>/J<SYSNR>/j2ee/cluster/apps/sap.com/
<StreamStudio Software Component>/servlet_jsp/streamstudio/root/
WEB-INF/spring/properties
• Tomcat on Windows
<Tomcat installation>\webapps\<Streamstudio portal name>\WEB-
INF\spring\properties
• Tomcat on UNIX/Linux
<Tomcat installation>/webapps/<Streamstudio portal name>/WEB-INF/
spring/properties
Specifying the PFX file

You must specify the PFX file that you use to encrypt e.g. the territory.xml,
mgwconnections.xml, and mgmgateway.xml files. This is done by editing the
property in the #Keystore section in the following line:
strs.keystore.url=null
This means you must replace null with the path to the PFX file. For example:
strs.keystore.url=file:c:\\testkey.pfx
Specifying alias
You only need to edit this property if you have more than one key listed in your
PFX file.
The property to edit is found in the #Keystore section.
If you have more than one key in the PFX file, you must specify the alias of the
key to use. The alias is the sequence number of the key in the PFX file. To find the
sequence number, see To retrieve the sequence number of a specific key on page 19.
• Edit the following line to point to the alias name of the key.
strs.domainloader.alias=null
This means you must replace null with the key alias, i.e the sequence
number. For example:
strs.domainloader.alias=2

Editing the security file 19
Specifying Java Cryptography Extension

• For Oracle JRE users:
Edit the following line in security.properties:
strs.keystore.provider=null
to the following:
strs.keystore.provider=SunJCE
• For IBM JRE users:
Edit the following line in security.properties:
strs.keystore.provider=null
to the following:
strs.keystore.provider=IBMJCE
To retrieve the sequence number of a specific key

Run the following Java keytool command:
keytool -list -v -keystore <PFX file name> -storetype PKCS12

20 Editing the Java application service
Editing the Java application service

Add the following to your start parameters on the Java application service, (e.g.
the NetWeaver or Tomcat service) where StreamStudio is deployed:
-Dstrs.keystore.password=<password>
Replace <password> with the password used to generate the key using the
security tool.
You can also specify the password in the security.properties file:

• Edit the following line to point to the password of the key.
strs.keystore.password=null
This means you must replace null with the key password. For
example:
strs.keystore.password=<password>
Note: Specifying the password as a start parameter overrides the
security.properties setting.

Manually encrypting application domain information 21
Manually encrypting application domain

information
For an unmanaged portal, you must perform the following before moving the
territory.xml file to the Java application server where your portal is running.
Note: This requires that you have exported the application domain file from
Control Center.
• Generate a new key or use an existing key.

• Encrypt the territory.xml file.
To generate a key
Browse to <StreamServe installation>
\Applications\StrsKeyTool\<Version>\bin and run the following
command:
strskeytool -genkey -alias <keyname> -keypass <password> [-dname
<domain name>]
To encrypt a file
Run the following command:
strskeytool -encrypt -alias <keyname> -keypass <password> -in
<territory.xml to encrypt> -out <encrypted territory file>
To decrypt a file
strskeytool -decrypt -alias <keyname> -keypass <password> -in
<territory.xml to decrypt> -out <decrypted territory file>
To export a key to a PKCS12 file

strskeytool -export -alias <keyname> -keypass <password> -file
"file://keyfilename.pfx"

22 Manually encrypting application domain information

23
Troubleshooting Security tool
Lost key
If you no longer have access to the key that you used to encrypt your StreamServe
installation, you will not be able to decrypt files or restart your StreamServe
applications.
Solution on Windows
1 Run the security tool with the -disable command. See To disable security on
page 9. At this stage, it does not matter what you specify as -alias and
-keypass as you only need to disable the management gateway startup
arguments.
2 From your backup, restore the following original files
• mgwconnections.xml
• mgmgateway.xml
In the following directory:
<StreamServe installation>\Applications\Management\<Version>
And:
trustedcommunications.xml (if you use it)
<StreamServe installation>\Platform\Core\<Version>\bin
And:
• enterpriserepository.xml
<Management_gateway_root>\<Version>\root\securityprofiles

Domain Information Files, or use the command line utilities for the
corresponding function.
4 Right-click the application domain and select Restart All Applications, or use
the command line utilities for the corresponding function.
5 Generate a new key and re-run the encryption. see Using the security tool on
Windows on page 7.
Solution on UNIX/Linux
page 9. At this stage, it does not matter what you specify as -alias and
-keypass as you only need to disable the management gateway startup
arguments.
2 From your backup, restore the original mgwconnections.xml and
mgmgateway.xml files in the following directory:

24 Management Gateway does not start
<StreamServe installation>/Applications/Management
3 In Control Center on a Windows machine, right-click the application
domain and select Update Domain Information Files, or use the command
line utilities for the corresponding function.
4 Right-click the application domain and select Restart All Applications, or use
the command line utilities for the corresponding function.
5 Generate a new key and re-run the encryption. See Using the security tool on
UNIX/Linux on page 11.
Management Gateway does not start

If the management gateway does not start correctly after you have run the -
enable command, it may be due to wrong -alias or -password was submitted.
Solution Windows
page 9.
2 Enable security with correct parameters, see To enable security on page 9.
Solution UNIX
page 14.
2 Enable security with correct parameters, see To enable security on page 13.
Illegal key size

If you get the following error in the streamstudio.log file, unlimited
jurisdiction strength policy files are required:
java.io.IOException: Private key decryption error:
(java.security.InvalidKeyException: Illegal key size)
Solution
You must download and install the files enabling unlimited jurisdiction strength
policy for the Java Cryptography Extension provider (Oracle JRE or IBM JRE).

Using NetWeaver JSPM to update StreamStudio 25
Using NetWeaver JSPM to update StreamStudio

If you use JSPM to update an existing version of StreamStudio, the StreamStudio
hotfix may not be identified as a valid patch and JSPM logs the following message
in the SCAN_INBOX.log file:
Delivery unit with version <version> located in /usr/sap/trans/EPS/
in/streamstudio-<version>.<build>.sca is not a valid update for
component sap.com/STREAMSTUDIO with version <version>.
Solution
Use NetWeaver Developer Studio to deploy the updated .sca package to the
application server. Follow the instructions in OpenText StreamServe Web
applications on SAP NetWeaver Application Server Installation Instructions and make
sure you select the Deployment perspective and Update strategy to update
components with lower version numbers.

26 Using NetWeaver JSPM to update StreamStudio

27
Management Gateway key
By default, a demo.pfx key is pointed out in the mgmgateway.xml file. It is

recommended to replace this with your own key, for example a key generated by
the Security tool. When you have modified the key reference, you must edit the
Management Gateway certificate property and update the application domain
information.
The Management Gateway uses the SSLv3 (Secure Socket Layer version 3)
security protocol by default. If required, you can switch to TLS (Transport Layer
Security).
To modify certificate reference

1 Browse to <StreamServe installation>\Applications\Management\
<Version>
2 Open the mgmgateway.xml file.
3 Search for the "http_listener" listener module settings.
4 Modify the <certificate value/> value to point to your certificate file.
5 Modify the <pfx password/> value.
6 Optional - To switch from SSL to TLS, add the following element to the
"http_listener" listener module settings:
<protocol type="http://schemas.streamserve.com/uid/resource/
securesocketchanneltls/1.0"/>
Note: The TLS configuration above enables TLSv1.0, TLSv1.1, and TLSv1.2.
The protocol version used by the calling application decides the
version.
7 In Control Center, select the site.

8 In the Properties view, right-click Management gateway certificate file and
select Edit Property.
9 Browse to and select the certificate file and click OK.
10 Restart the Management Gateway.
To update application domain file

• In Control Center, right-click the application domain and select Update

28
Management Gateway key

29
You can replace the certificate files used by the management gateway and service
gateway. For example, when you have renewed a certificate file.
If you replace a certificate file, the new certificate must have the same name as the
old certificate.
The certificate files are located in the following directories.
Certificate Location
Trusted certificate <StreamServe installation>

authority file(s) \Platform\Core\<version>\bin\security\certific
atestore\trusted\authorities
Trusted peer <StreamServe installation>

certificate file(s) \Platform\Core\<version>\bin\security\certific
atestore\trusted\peers
Server identity file <StreamServe installation>

\Platform\Core\<version>\bin\security\certific
atestore\trusted\Keystore\private
To replace a certificate file

1 Browse to the directory that contains the certificate file you want to replace.
2 Copy the new certificate file to the directory.
3 Restart the following Windows services
StreamServe Service Gateway
StreamServe Management Gateway
StreamServe Management Nanny

30

31
Enabling authentication for SSSP via OTDS
If the company stores their user profiles in OpenText Directory Services (OTDS),
you can enable authentication for Ad Hoc Correspondence, Correspondence
Reviewer, and Document Broker Query (DBQ) Tool.
When the authentication is enabled and a user tries to access a web application,
the user is redirected to the OTDS log on page. Only authorized users from the
OTDS directory are allowed to access the application.
Single-sign on is supported via OTDS Tickets.
Prerequisites
• In the application domains, the user directory must be configured with
OTDS. For more information, see Configuring user directories with OTDS in
Control Center User Guide.
Post requisites
When the configuration is done, you must:
• Restart the SSSP application for the changes to take effect.
• Assign roles to the Ad Hoc, Reviewer, and DBQ Tool users in StreamStudio
Administrator. For Ad Hoc and Reviewer, you must also set access rights to
the applications for the roles. For the DBQ Tool, you do not need to set
access rights as this application is already accessible for all roles.
• For security reasons, we recommend that you use HTTPS when accessing
StreamServe web applications.
To enable OTDS security

1 Open the following file:
<Portal root>\sssp\WEB-INF\spring\security.xml
2 Change the type from basic to otds in the following line:
<import resource="security-basic.xml"/>
3 Save and close the file.
To enable authentication and configure the URL for OTDS

<Portal root>\sssp\WEB-INF\spring\properties\
security.properties
2 Change the value from false to true in the following line:
strs.authenticationEnabled=false
3 Specify the URL to the OTDS server in the following line:
strs.otds.url=<URL>

32
Enabling authentication for SSSP via OTDS

33
Web service security
Enable web service security

In Control Center, you can specify that all web service requests to the service
gateway are authenticated with the credentials of the user logged in. For
example, service requests from StreamStudio to the service gateway or from the
SSSP application to the service gateway.
For more information, see OpenText StreamServe Control Center User Guide.
Specify user for the SSSP application

When using Ad Hoc Correspondence, Correspondence Reviewer, and the DBQ
Tool, all communication with the service gateway goes through the SSSP
(StreamServe Service Provider) application. If web service security is enabled for
the service requests, there must be a user available whose credentials will be used
for authentication.
Set up Trusted Communication Channels

If you use web service security, we recommend that you encrypt the
communication by using Trusted Communication Channels (TCCs) between
StreamStudio and the service gateway and between the SSSP application and the
service gateway.
In this section
• Specifying a user for web service security on page 34
• Setting up Trusted Communication Channels on page 35

34 Specifying a user for web service security
Specifying a user for web service security

In Control Center, in the Application Domain Editor, you can specify that all web
service requests to the service gateway are authenticated with the credentials of
the user logged in.
To enable authenticated communication between the SSSP application and the
service gateway, there must be a user available:
• If you have enabled authentication (see Enabling authentication for SSSP via
OTDS on page 31), the credentials of the user currently logged in will be
used for authentication.
• If authentication is not enabled, you must specify the user whose
credentials will be used for authentication as described below.
Prerequisites
• Web service security must be enabled in Control Center. See OpenText
StreamServe Control Center User Guide.
• The credentials (UID and password) to be used for authentication must be
available. For example, the credentials of the application domain
administrator.
Post requisites
• When using web service security, we recommend that you encrypt the
communication by setting up a Trusted Communication Channel (TCC).
See Setting up Trusted Communication Channels on page 35.
To specify the password for web service security

• We recommend that you specify the password in the Java application
service as a start parameter (space character separated):
-Dws.wss.password=<password>
Note: The password you specify on the Java application service overrides
the ws.wss.password setting in the ws.properties file (see below).
To specify the user for web service security

<Portal root>\sssp\WEB-INF\spring\properties\ws.properties
For example, for Apache Tomcat:
<TOMCAT_HOME>\webapps\sssp\WEB-INF\spring\properties\
ws.properties
2 Go to the following lines:
# Web Service Security
ws.engage.axis2.rampart=true
ws.wss.uid=<replace me if WSS is enabled>
# ws.wss.password can and should be defined as a JVM parameter
ws.wss.password=null
3 Enter the UID to be used for authentication. For example:

ws.wss.uid=CN=STRSDOMAINADMIN,OU=DEFAULT,DC=SCHEMAS,DC=STREAM
SERVE,DC=COM

Setting up Trusted Communication Channels 35
Setting up Trusted Communication Channels

In Control Center, in the Application Domain Editor, you can specify that all web
service requests to the service gateway are authenticated with the credentials of
the user logged in. If you use web service security, we recommend that you
encrypt the communication by using Trusted Communication Channels (TCCs).
By default, the SSLv3 (Secure Socket Layer version 3) security protocol is used. If
required, you can switch to TLS (Transport Layer Security). All entities (service
gateway, StreamStudio, and the SSSP application) must use the same security
protocol.
Figure 1 TCCs between trusted entities, simple environment
To send encrypted information using a TCC, both the sender and the receiver
must consider each other being trusted entities. Each entity (service gateway,
StreamStudio, and the SSSP application) must therefore include a PrivateStore
and a TrustStore. The PrivateStore is a KeyStore that contains the private key for
the specific entity and a certificate chain. The TrustStore is a Java KeyStore that
contains the certificates from the entities to be trusted.
How to set up a TCC is largely depending on the environment, for example the
operational system, JVM (Java Virtual Machine), protocols, and certificates used.
You should not set up a TCC unless having a good working knowledge
in PKI (Public Key Infrastructure) and in the components used in your
environment.
Post requisites
After you have set up the required TCCs, you may have to restart the Java
application server for the changes to take effect.
In this section
• Issuing a root certificate on page 36
• Issuing PrivateStores on page 36
• Issuing TrustStores on page 37
• Configuring a TCC for the service gateway on page 38
• Configuring a TCC for the StreamStudio portal on page 40
• Configuring a TCC for the SSSP application on page 41
• Troubleshooting on page 43

36 Setting up Trusted Communication Channels
Issuing a root certificate

To set up a TCC, a valid root certificate must be available.
• In a testing or development environment, you can issue your own self-
signed certificate. For example, by using the OpenSSL cryptography library.
You can then use this self-signed certificate as a root certificate.
• In a production environment, it is recommended to use a root certificate
signed by a CA (Certified Authority), for example by VeriSign®.
Example certificate used in this chapter

In the procedures in this chapter, the root certificate is called ca_strs.crt.
Issuing PrivateStores
When you set up the TCCs, you must specify the PrivateStores for the senders
and the receivers. A PrivateStore is a KeyStore that contains the private key for
the specific entity and a certificate chain.
• In a testing or development environment, you can issue your own
PrivateStores (with certificates and private keys) based on the self-signed
certificate. For example, by using the OpenSSL cryptography library.
• In a production environment, it is recommended to use PrivateStores
issued by a CA (Certified Authority), for example by VeriSign.
Example certificates and PrivateStores used in this chapter

In the procedures in this chapter, the following certificates and PrivateStores are
used:
• Service gateway privet key sgw1.key

Service gateway certificate sgw1.crt
Service gateway PrivateStore sgw1.p12
• StreamStudio private key studio.key

StreamStudio certificate studio.crt
StreamStudio PrivateStore studio.p12
• SSSP private key sssp.key

SSSP application certificate sssp.crt
SSSP application PrivateStore sssp.p12
Syntax for PrivateStore in the service gateway file

When configuring TCC for the service gateway, the PrivateStore is configured as
a private key (for example, sgw1.p12).
See Configuring a TCC for the service gateway on page 38.

Issuing TrustStores
You must issue the TrustStores that includes the service gateway(s) to be trusted
by the StreamStudio portal and the SSSP application. In the TrustStores, you must
also include the root certificate. The TrustStores must be Java KeyStores (*.jks).
You can create TrustStores using a keytool utility provided by the Java vendor.
For example, if you use a JVM from Oracle, you can use the Oracle keytool utility.
For more information, see the user documentation from the Java vendor.
Example TrustStore used in this chapter

In the procedures in this chapter, the TrustStore is called truststore.jks. This
TrustStore contains the service gateway certificate (sgw1.crt) from Issuing
PrivateStores on page 36 and the root certificate (ca_strs.crt) from Issuing a root
certificate on page 36.
Syntax for TrustStore in the service gateway files

When configuring TCC for the service gateway, the TrustStore is configured as
trusted certificate authorities (for example, ca_strs.crt) and trusted peers (for
example, studio.crt and sssp.crt).
See Configuring a TCC for the service gateway on page 38.
Additional security provider configuration for UNIX

On UNIX, you must use the vendor specific JCE (Java Cryptography Extension)
implementation. For example, if you use a JVM from Oracle, you must also use a
JCE implementation from Oracle.
On some JVM distributions, a BouncyCastle JCE implementation is used by
default. You must check that the JCE implementation is placed before the
BouncyCastle implementation in the security provider list found in
<Path to JRE>/lib/security/java.security
Note: Do not break the sequence, there must be an ordered list of security
providers.

Configuring a TCC for the service gateway

You can manually configure a TCC on the service gateway side.
Prerequisites
In the procedures, the certificates mentioned in Issuing a root certificate on page 36
and Issuing PrivateStores on page 36 are used.
Post requisites
After the TCC is configured for the service gateway, you must restart the service
gateway.
To enable a TCC for the service gateway

• Windows:
<StreamServe installation>\Applications\Service Gateway\
<Version>\bin\semper.xml
• UNIX:
<StreamServe installation>/applications/servicegateway/
semper.xml
2 Un-comment the following line:

and comment out the SSLv3 protocol configuration in the following line:
<protocol type="http://schemas.streamserve.com/uid/resource/
securesocketchannelssl/3.0"/>
Note: The TLS configuration above enables TLSv1.0, TLSv1.1, and TLSv1.2.
The protocol version used by the calling application decides the
version.
To add certificates and PrivateStore to the StreamServe installation

1 Add the ca_strs.crt certificate to the following folder:
• Windows:
security\certificatestore\trusted\authorities
• UNIX:
<StreamServe installation>/platform/lib/security/
certificatestore/trusted/authorities
2 Add the sssp.crt and studio.crt certificates to the following folder:
• Windows:
security\certificatestore\trusted\peers
• UNIX:
certificatestore/trusted/peers
3 Add the sgw1.p12 PrivateStore to the following folder:
• Windows:
security\keystore\private
• UNIX:
keystore/private
4 Restart your service gateways.

Configuring a TCC for the StreamStudio portal

For StreamStudio, you configure the TCC settings in the ws.properties file for
the application. To achieve web security, you must enable it in the spring.xml
file for the application.
Prerequisites
• In the Application Domain Editor, https:// must be used in the URL to
the service gateway. See OpenText StreamServe Control Center User Guide.
• In the procedures, the PrivateStore and TrustStore mentioned in Issuing
PrivateStores on page 36 and Issuing TrustStores on page 37 are used.
To specify passwords on the Java application service

the NetWeaver or Tomcat service) where StreamStudio is deployed:
-Dws.https.privatestore.password=<PrivateStore_password>
-Dws.https.truststore.password=<TrustStore_password>
You can instead specify the passwords in the ws.properties as below, but we
recommend you to specify them on the service to avoid plain text passwords in
the file system. If you specify passwords in both places, the passwords specified
as startup parameters override the file settings.
Note: Separate start parameters with a space character.
To configure the PrivateStore and TrustStore

<Portal root>\<StreamStudio>\WEB-INF\spring\
properties\ws.properties
<TOMCAT_HOME>\webapps\<StreamStudio>\WEB-INF\spring\
properties\ws.properties
2 Edit the following lines:
# Trusted Communication Channel (TCC) Settings
#
# Set the security protocol to use when communicating with the
SGW.
# ws.https.ssl.protocol=<protocoll used i.e.
SSLv3|TLSv1|TLSv1.1|TLSv1.2>
ws.https.ssl.protocol=SSLv3
ws.https.x509.vendor=SunX509
# -- PrivateStore --
ws.https.privatestore.url=file:<PrivateStore_file_path>
ws.https.privatestore.type=PKCS12
# ws.https.privatestore.password can and should be defined as

a JVM parameter
ws.https.privatestore.password=null
# -- TrustStore --
ws.https.truststore.url=file:<TrustStore_file_path>
ws.https.truststore.type=JKS
# ws.https.truststore.password can and should be defined as
a JVM parameter
ws.https.truststore.password=null
3 Optional - To switch from SSL to TLS, edit the following line:

To enable security
<Portal root>\<StreamStudio>\WEB-INF\spring\spring.xml
<TOMCAT_HOME>\webapps\<StreamStudio>\WEB-INF\spring\
spring.xml
2 Add the following line:
<import resource="ws-security.xml"/>
4 Restart the StreamStudio portal.
Configuring a TCC for the SSSP application

For the SSSP application, you configure the TCC settings in the ws.properties
file for the application. To achieve web security, you must enable it in the
application-context.xml file for the application.
Note: If you enable web service security, you must also specify the user whose
credentials will be used for authentication. See Specifying a user for web
service security on page 34.
Prerequisites
• In the Application Domain Editor, https:// must be used in the URL to
the service gateway. See OpenText StreamServe Control Center User Guide.
• In the procedures, the PrivateStore and TrustStore mentioned in Issuing
PrivateStores on page 36 and Issuing TrustStores on page 37 are used.
To specify passwords on the Java application service

the NetWeaver or Tomcat service) where the SSSP application is deployed:
-Dws.https.keystore.password=<KeyStore_password>
-Dws.https.truststore.password=<TrustStore_password>

You can instead specify the passwords in the ws.properties as below, but we
recommend you to specify them on the service to avoid plain text passwords in
the file system. If you specify passwords in both places, the passwords specified
as startup parameters override the file settings.
Note: Separate start parameters with a space character.
To configure the PrivateStore and the TrustStore

<Portal root>\sssp\WEB-INF\spring\properties\ws.properties
<TOMCAT_HOME>\webapps\sssp\WEB-INF\spring\properties\
ws.properties
2 Edit the following lines:
# Trusted Communication Channel (TCC) Settings
#
# Set the security protocol to use when communicating with the
SGW.
# ws.https.ssl.protocol=<protocoll used i.e.
SSLv3|TLSv1|TLSv1.1|TLSv1.2>
ws.https.x509.vendor=SunX509
# -- KeyStore --
ws.https.keystore.url=file:<KeyStore_file_path>
ws.https.keystore.type=PKCS12
# ws.https.keystore.password can and should be defined as
a JVM parameter
ws.https.keystore.password=null
# -- TrustStore --
ws.https.truststore.url=file:<TrustStore_file_path>
ws.https.truststore.type=JKS
# ws.https.truststore.password can and should be defined as
a JVM parameter
ws.https.truststore.password=null
3 Optional - To switch from SSL to TLS, edit the following line:

To enable security
<Portal root>\sssp\WEB-INF\spring\application-context.xml
<TOMCAT_HOME>\webapps\sssp\WEB-INF\spring\
application-context.xml
2 Un-comment the following line:

4 Restart the SSSP application.

Troubleshooting
When setting up a TCC, you find useful information in the service gateway logs,
displayed in Control Center. For information on how to enable debug mode, see
OpenText StreamServe Control Center User Guide.
You can also check the following log files for error information (Windows
example):
• <Java application server_HOME>\logs\streamstudio.log
• <Java application server_HOME>\logs\sssp.log
You can extend the log level and use debug mode for StreamStudio and the SSSP
application.
To enable debug mode

1 Open the following files:
<Portal root>\<Web application>\WEB-INF\log4j.properties
<TOMCAT_HOME>\webapps\sssp\WEB-INF\log4j.properties
<TOMCAT_HOME>\webapps\<StreamStudio>\WEB-INF\log4j.properties
2 Add the following line:
log4j.logger.com.streamserve.ws.tcc=DEBUG
Illegal key size

Error
If you get the following error in the streamstudio.log or sssp.log file,
unlimited jurisdiction strength policy files are required:
java.io.IOException: Private key decryption error:
(java.security.InvalidKeyException: Illegal key size)
Solution
You must download and install the files enabling unlimited jurisdiction strength
policy for the Java Cryptography Extension provider (Oracle JRE or IBM JRE).

OpenText StreamServe 5.6.2 Security User Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

OpenText StreamServe 5.6.2 Security User Guide

Caricato da

Copyright:

Formati disponibili

OpenText™ StreamServe 5.6.

Open Text Corporation

No Warranties and Limitation of Liability

About StreamServe Security....................................................................................... 5

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

About StreamServe Security

This guide contains information on how to improve security on your

Replace the default Management Gateway key

Replacing certificate files

Enable web service security and TCC

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

Using the security tool on Windows

Running the security tool

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

-genkey Generates a key with a name specified in the -alias

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

-export Exports a key with a specified alias to a file. The file to

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

5 In Control Center, right-click the application domain and select Update

To change keys used for encryption

Examples of running the script

Example 1 Generating a key and encrypting the files

The following command creates a key stored in c:\testkey.pfx

The following command creates a key stored with alias testkey:

Example 3 Disabling security for a system

The following example disables the security by decrypting files, removing

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

Using the security tool on UNIX/Linux

Running the security tool

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

-genkey Generates a key with a name specified in the -alias

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

-export Exports a key with a specified alias to a file. The file to

To enable security by using a file reference to the password

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

To change keys used for encryption

Examples of running the tool

Example 4 Generating a key and encrypting the files

The following command creates a key stored in /opt/streamserve/

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

The following command creates a key stored with alias testkey:

Example 6 Disabling security on a management gateway

The following example disables the security by decrypting files, removing

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

Editing the security file

Specifying the PFX file

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

Specifying Java Cryptography Extension

To retrieve the sequence number of a specific key

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

Editing the Java application service

You can also specify the password in the security.properties file:

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

Manually encrypting application domain

• Generate a new key or use an existing key.

To export a key to a PKCS12 file

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

OpenText™ StreamServe 5.6.2 Security User Guide Rev B

Troubleshooting Security tool

3 In Control Center, right-click the application domain and select Update