Help Center/ MapReduce Service/ User Guide (ME-Abu Dhabi Region)/ FusionInsight Manager Operation Guide (Applicable to 3.x)/ Security Management/ Security Hardening/ Hardening Policy
Updated on 2022-12-08 GMT+08:00
View PDF

Hardening Policy

Hardening Tomcat

Tomcat is hardened as follows based on open-source software during FusionInsight Manager software installation and use:

  • The Tomcat version is upgraded to the official version.
  • Rights on directories under webapplications are set to 500. Some directories under webapplications support the write permission.
  • The Tomcat installation package is automatically deleted after system software is installed.
  • The automatic deployment function is disabled for projects under webapplications. Only three projects, web, cas and client-registry projects, are deployed.
  • Some unused http methods are disabled, preventing attacks by using the http methods.
  • The default shutdown port and command of the Tomcat server are changed to prevent hackers from shutting down the server and attacking servers and applications.
  • To ensure security, the value of maxHttpHeaderSize is changed, which enables server administrators to control abnormal requests of clients.
  • The Tomcat version description file is modified after Tomcat is installed.
  • To prevent disclosure of Tomcat information, the Server attributes of Connector are modified so that attackers cannot obtain information about the server.
  • Rights on files and directories of Tomcat, such as the configuration files, executable files, log directories, and temporary folders, are under control.
  • Session facade recycling is disabled to prevent request leakage.
  • LegacyCookieProcessor is used as CookieProcessor to prevent the leakage of sensitive data in cookies.

Hardening LDAP

LDAP is hardened as follows after a cluster is installed:

  • In the LDAP configuration file, the password of the MRS cluster administrator account is encrypted using SHA. After the openldap is upgraded to 2.4.39 or later, data is automatically synchronized between the active and standby LDAP nodes using the SASL External mechanism, which prevents disclosure of the password.
  • The LDAP service in the cluster supports the SSLv3 protocol by default, which can be used safely. When the openldap is upgraded to 2.4.39 or later, the LDAP automatically users TLS1.0 or later to prevent unknown security risks.

Hardening JDK

  • If the client process uses the AES256 encryption algorithm, JDK security hardening is required. The operations are as follows:

    Obtain the Java Cryptography Extension (JCE) package whose version matches that of JDK. The JCE package contains local_policy.jar and US_export_policy.jar. Copy the JAR files to the following directory and replace the files in the directory.

    Linux: JDK installation directory/jre/lib/security

    Windows: JDK installation directory\jre\lib\security

    Access the Open JDK open-source community to obtain the JCE file.

  • If the client process uses the SM4 encryption algorithm, the JAR package needs to be updated.

    Obtain the SMS4JA.jar in Client installation directory/JDK/jdk/jre/lib/ext/, and copy the JAR package to the following directory:

    Linux: JDK directory/jre/lib/ext/

    Windows: JDK directory\jre\lib\ext\

Parent topic: Security Hardening