Skip to main content
Version: 16.1

Security Checklist

The following chapter addresses security relevant settings and configuration options which are not or cannot in all cases be covered by the default configuration of ADONIS and are therefore listed in the checklist below.

General Recommendations

  1. The server hardware of ADONIS should be located in a safe environment (not physically accessible to everyone).

  2. It should be ensured that the operating systems of the server machines hosting ADONIS are up-to-date on installation day and are updated regularly in the future.

  3. It should be ensured that the version of Java with which the Apache Tomcat web server is run is the latest version of your Java main release (latest Java 17 version) and is updated regularly in the future.

Secure the Apache Tomcat Web Server

  1. Remove all web applications from <Tomcat installation>/webapps” (docs, examples, ROOT,...) which are not needed.

  2. Remove the files <Tomcat installation>/conf/Catalina/localhost/host-manager.xml” and <Tomcat installation>/conf/ Catalina/localhost/manager.xml” if they are available.

  3. Disable the Tomcat shutdown port. In <Tomcat Installation>/conf/server.xml” in the first tag <Server> change the port to -1, e.g. <Server port=”-1” shutdown=”SHUTDOWN>.

  4. Add a server identifier to the connector. In <Tomcat installation>/conf/server.xml” search for the <Connector> tag which defines the port on which ADONIS is accessible and add a property server=”Tomcat”, e.g. <Connector port=”8000” server=”Tomcat”/>.

For further information on securing the Apache Tomcat web server refer to the Open Web Application Security Project (OWASP) available on https://www.owasp.org/index.php/Securing_tomcat.

Access Requirements for the Technical Operation

The user rights of the users running the Apache Tomcat web server and ADONIS application server services should be restricted to as few rights as possible. The following rights represent the minimum required to run the services.

ADONIS Application Server Permissions

The user running the ADONIS application server service needs:

  • Write permissions in the temporary directory (%TEMP%).

  • Write permissions in the directory in which the log files are configured to be written (see "Configure ADONIS Application Server").

  • Read and execute permissions in the ADONIS Application Server installation directory.

Apache Tomcat Web Server Permissions

The user running the Apache Tomcat web server service needs:

  • Write permissions in the temporary directory (%TEMP%).

  • Write and modify/delete permissions in the ADONIS web application directory (<Tomcat installation>/webapps/ADONIS16_1“) and all its subdirectories.

  • Write permissions in the directory in which the log files are configured to be written. By default, the logging output is written to the folder "<Tomcat installation>/logs".

  • Read permissions in the Apache Tomcat installation directory.

Do not run Apache Tomcat with local administrator rights and do not run Apache Tomcat with domain user rights if they are not needed. If you are running Apache Tomcat with a domain user the access rights should be restricted to the minimum.

Secure Configuration of the ADONIS Web Application

Secure passwords

The passwords listed below should be changed to strong passwords:

  • The default passwords of Apache Tomcat in the file "<Tomcat installation>/conf/tomcat-users.xml" (see "Configure Apache Tomcat Web Server").

  • The passwords for all test accounts, admin users, etc.

The following are general recommendations for creating strong passwords.

Strong passwords should:

  • Have at least 8 characters.

  • Contain upper as well as lower case alphabetic characters (e.g. A-Z, a-z).

  • Contain at least one numeric character (e.g. 0-9).

  • Contain at least one special character (e.g. @#§\$%&\^!()_+~-=).

Strong passwords should not:

  • Spell a word or series of words that can easily be found in a dictionary or are directly related to the company.

  • Spell a word with a number added to the beginning or the end.

  • Be based on any personal information that can be guessed easily (e.g. family name, pet, birthday, etc.).