Security Checklist
The following chapter addresses security relevant settings and configuration options which are not or cannot in all cases be covered by the default configuration of the ADONIS NP web client and are therefore listed in the checklist below.
General Recommendations
The server hardware of the ADONIS NP web client should be located in a safe environment (not physically accessible to everyone).
It should be ensured that the operating system hosting the ADONIS NP web client is up-to-date on installation day and is updated regularly in the future.
It should be ensured that the version of Java with which the Apache Tomcat web server is run is the latest version of your Java main release (latest Java 8 or 11 version) and is updated regularly in the future.
Secure the Apache Tomcat Web Server
Remove all web applications from “<Tomcat installation>/webapps” (docs, examples, ROOT,...) which are not needed.
Remove the files “<Tomcat installation>/conf/Catalina/localhost/host-manager.xml” and “<Tomcat installation>/conf/ Catalina/localhost/manager.xml” if they are available.
Disable the Tomcat shutdown port. In “<Tomcat Installation>/conf/server.xml” in the first tag
<Server>
change the port to-1
, e.g.<Server port=”-1” shutdown=”SHUTDOWN>
.Add a server identifier to the connector. In “<Tomcat installation>/conf/server.xml” search for the
<Connector>
tag which defines the port on which the ADONIS NP web client is accessible and add a propertyserver=”Tomcat”
, e.g.<Connector port=”8000” server=”Tomcat”/>
.
For further information on securing the Apache Tomcat web server refer to the Open Web Application Security Project (OWASP) available on https://www.owasp.org/index.php/Securing_tomcat.
Access Requirements for the Technical Operation
The user rights of the users running the Apache Tomcat web server and ADONIS NP application server services should be restricted to as few rights as possible. The following rights represent the minimum required to run the services.
ADONIS NP Application Server Permissions
The user running the ADONIS NP application server service needs:
Write permissions in the temporary directory (
%TEMP%
).Write permissions in the directory in which the log files are configured to be written (see "Configure ADONIS NP Application Server").
Read and execute permissions in the ADONIS NP Application Server installation directory.
Apache Tomcat Web Server Permissions
The user running the Apache Tomcat web server service needs:
Write permissions in the temporary directory (
%TEMP%
).Write permissions in the ADONIS NP web application directory (“<Tomcat installation>/webapps/ADONISNP11_0“) and all its subdirectories.
Write permissions in the directory in which the log files are configured to be written. By default, the logging output is written to the folder "<Tomcat installation>/logs".
Read permissions in the Apache Tomcat installation directory.
Do not run Apache Tomcat with local administrator rights and do not run Apache Tomcat with domain user rights if they are not needed. If you are running Apache Tomcat with a domain user the access rights should be restricted to the minimum.
ADONIS NP Rich Client Permissions
A user running an ADONIS NP rich client needs:
Write permissions in the temporary directory (
%TEMP%
).Read and execute permissions in the ADONIS NP installation directory.
Secure Configuration of the ADONIS NP Web Client
- It is recommended to enable SSL/TLS communication in the ADONIS NP web client (see "(Optional) Set up Apache Tomcat Web Server for use with SSL/TLS").
Secure passwords
The passwords listed below should be changed to strong passwords:
The default passwords of Apache Tomcat in the file "<Tomcat installation>/conf/tomcat-users.xml" (see "Configure Apache Tomcat Web Server").
The passwords for all test accounts, admin users, etc.
The following are general recommendations for creating strong passwords.
Strong passwords should:
Have at least 8 characters.
Contain upper as well as lower case alphabetic characters (e.g. A-Z, a-z).
Contain at least one numeric character (e.g. 0-9).
Contain at least one special character (e.g. @#§\$%&\^!()_+~-=).
Strong passwords should not:
Spell a word or series of words that can easily be found in a dictionary or are directly related to the company.
Spell a word with a number added to the beginning or the end.
Be based on any personal information that can be guessed easily (e.g. family name, pet, birthday, etc.).