This guide should give you an overview of what can be done to tighten an installation of Intershop Order Management in regards to security and data protection.
Each HA node of an IOM installation consists of two Wildfly Application Servers running two different types of applications: IOM frontend and backend server, see Guide - Intershop Order Management - Technical Overview. The default configuration of Wildfly application server uses the following configuration:
The services are bound to the network interface, which is defined in property JBOSS_BIND_ADDRESS in file $OMS_ETC/installation.properties, see Guide - Setup Intershop Order Management 2.2. The property is valid for all services. In order to work properly, it is necessary, that the frontend server is reachable from the load balancer and that the backend server can be reached from all frontend servers belonging to the same IOM installation.
The property JBOSS_PORT_OFFSET in file $OMS_ETC/installation.properties is used to change the default port configuration, see Guide - Setup Intershop Order Management 2.2. The value read from JBOSS_PORT_OFFSET will be added to all ports. Since frontend and backend server are running on the same machine, JBOSS_PORT_OFFSET has to be used to avoid port collisions if both servers use the same network interface.
HTTP service is needed on both server types, frontend and backend. At frontend server, the HTTP service is responsible to handle requests to OMT and to REST/SOAP. On backend server the JMS-communication is handled by the HTTP service.
The Wildfy application server provides an admin console. The admin console is a command line interface for Wildfly administration, which can be used interactively or by automated scripts. Each wildfly instance hosts its own admin console, allowing to administer the belonging Wildfly application server only. Access to the admin console is restricted by Wildfly's own user- and role-management system, which can be controlled by Wildfly's add-user utility, see add-user utility.
Wildfly's admin console is extensively used by IOM's operational processes (e.g., deployment, applying properties, reconfiguration of JMS settings, etc.). In order to be able to execute these operational processes, username and password of a management user are required. The processes are reading the according information from properties JBOSS_ADMIN_USER and JBOSS_ADMIN_PASSWD, located in file $OMS_ETC/installation.properties. For more details refer to Guide - Setup Intershop Order Management 2.2.
The Wildfly application server used by IOM application provides a Web Management Interface, which allows to execute administration tasks interactively, see Management Clients. Each Wildfly instance hosts its own Web Management Interface, allowing to administer the belonging Wildfly Application Server only. Access to the Web Management Interface is restricted by Wildfly's own user- and role-management, which can be controlled by Wildfly's add-user utility, see add-user utility. The same user and password as for admin console can be used to access Web Management Interface.
Web Management Interface is not used by IOM's default processes.
The OMT is a web application, which is part of IOM. The OMT is running on frontend application servers only. Access to the OMT is restricted by user- and role-management defined inside the IOM. Termination of HTTPS protocol on Wildfly application server is not supported.
Note
Intershop strongly recommends to encrypt external communication via HTTPS. To do so, HTTPS has to be terminated at the load balancer (see below).
REST and SOAP interfaces are provided by an application, which is part of IOM and is running on frontend application servers only. Access to REST/SOAP interfaces is restricted by user- and role-management defined inside IOM. REST/SOAP interfaces support basic HTTP authentication only, see Basic access authentication. Termination of HTTPS protocol on Wildfly application server is not supported.
Note
Intershop strongly recommends to encrypt external communication via HTTPS. To do so, HTTPS has to be terminated at the load balancer (see below).
Note
The following section applies for version 2.9 only.
Some REST interfaces can also be accessed via Bearer authentication / Token authentication. For that authentication mechanism, a JSON Web Tokens (JWT) is used as bearer security token. The creation / validation of this token happens with the help of a shared secret, that could be configured in the cluster properties, see Guide - Setup Intershop Order Management 2.9.
Note
Intershop strongly recommends to change the default shared secret used for the JSON Web Tokens creation / validation in the cluster properties, see Guide - Setup Intershop Order Management 2.9.
To secure the JWT https://tools.ietf.org/html/rfc7518#section-3.2 says that a key of the same size as the hash output or larger must be used with the JWS HMAC SHA-2 algorithms (i.e, 256 bits for "HS256").
At each HA node runs a FTP server required to exchange data between IOM's frontend and backend server, see Guide - Intershop Order Management - Technical Overview This FTP server is not intended to be accessed from outside, hence it is bound to the IP address 127.0.0.1 only. The IOM application servers are using two users to access this FTP server. The names of these users are set in properties is.oms.media.user
and is.oms.pdf.user
in $OMS_ETC/cluster.properties. The according passwords are set in properties is.oms.media.pass and is.oms.pdf.pass
within the same file, see Guide - Setup Intershop Order Management 2.2
FTP server writes log data to /var/log/pureftpd.log. This file is not rotated automatically.
The load balancer to be installed in front of IOM HA nodes is based on Apache HTTPd server, see Guide - Intershop Order Management - Technical Overview. Apache load balancer uses different mod_proxy* modules to realize load balancing and fail-over functionality.
Apache load balancer provides two special URLs, to be accessed by administrators only: /server-status and /balancer-manager. Access to these URLs is restricted and requires username admin and a matching password. All other URLs are forwarded to IOM frontend servers.
Apache load balancer writes log files to logs directory (relative to server root). These log files are rotated hourly. Automatic cleanup of old logs is not provided.
Regular product updates, hotfixes and patches are released for Intershop products fixing also potential security issues.
The support department informs about important security updates via newsletter security bulletin. Updates and patches are announced at the support web page (https://support.intershop.com/)
Ansible4IOM
Just use process Update OMS node provided by Ansible4IOM to update an IOM installation, see Reference - Ansible4IOM Processes 1.1.
It is strongly recommended to change the default password set for the IOM database account. After changing the password (please consult your database admin for this task), you have to change the property is.oms.db.pass
in $OMS_ETC/cluster.properties and you have to apply these changes, see Guide - Setup Intershop Order Management 2.2
Ansible4IOM
Set the database password at variables OMSDB_PASSWD
and is_oms_db_pass
(see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM processes Setup or reconfigure database account and Setup OMS node to use your own password prior initial setup. You can use the same variables along with processes Setup or reconfigure database account and Reconfigure OMS node to change database password afterwards, see Reference - Ansible4IOM Processes 1.1
It is strongly recommended to change default password set for Wildfly administration user. After changing the password (see add-user utility) , you have to change property JBOSS_ADMIN_PASSWD in file $OMS_ETC/installation.properties, see Guide - Setup Intershop Order Management 2.2
Ansible4IOM
Set the password of Wildfly administration user at variable JBOSS_ADMIN_PASSWD[ server-type ]
, see Reference - Ansible4IOM Variables 1.1, before running Ansible4IOM process Setup OMS node to use your own password prior initial setup. You can use the same variable along with process Reconfigure OMS node to change password afterwards, see Reference - Ansible4IOM Processes 1.1.
In order to administer the IOM, a default admin user for the OMT exists, having a default password. You have to change the password of this user (admin) by using the Change Password function within User Profile area.
The passwords of FTP users should be changed, see Virtual Users. After changing the passwords, the according properties is.oms.media.pass
and is.oms.pdf.pas
s have to be updated and the according changes have to be applied, see Guide - Setup Intershop Order Management 2.2.
Ansible4IOM
Set the passwords of FTP users at variables is_oms_media_pass
and is_oms_pdf_pass
(see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM process Setup OMS node to use your own password prior initial setup. You can use the same variables along with process Reconfigure OMS node to change passwords afterwards, see Reference - Ansible4IOM Processes 1.1.
The password of user admin, who is the only one with access to URLs /server-status and /balancer-manager at the load balancer, has to be changed. Use Apaches htpasswd tool to update the password of the admin user stored in file conf/htpasswd (relative to server root).
Ansible4IOM
Set the password of admin user at variable APACHE_MGMNT_PASSWD
(see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM process Setup Load Balancer to use your own password prior initial setup (see Reference - Ansible4IOM Processes 1.1). You can use the same variable along with process Reconfigure Load Balancer to change password afterwards.
All incoming and outgoing communication should be encrypted. As mentioned above, configuration of Wildfly application server used for IOM is not prepared to encrypt (internal) communication. Instead of it, the load balancer has to be used to terminate HTTPS protocol. This way, all external communication to OMT and REST/SOAP interfaces can be encrypted.
Just follow the SSL/TLS strong encryption How-To provided for Apache httpd-server to enable HTTPS protocol.
Ansible4IOM
You have to implement the hook post_apache_configuration_hook
to prepare Apache configuration for HTTPS access, see Reference - Ansible4IOM Hooks 1.1. The principles are explained in an example that can be found in the description of the Ansible4IOM process Setup Load Balancer, see Reference - Ansible4IOM Processes 1.1.
OMT and REST/SOAP-interfaces should not be publicly available. You should restrict access to OMT and REST/SOAP-interfaces on network level. To do so, add the necessary require rules to <Location>-sections defined in conf/oms/balancer.conf, see Apache Module mod_authz_host.
Ansible4IOM
Define the network access rules according to Apaches mod_authz_host (see Apache Module mod_authz_host) in variables APACHE_REQUIRE_IOM
and APACHE_REQUIRE_MGMNT
(see Reference - Ansible4IOM Variables 1.1) before running Ansible4IOM process Setup Load Balancer to use your own network access rules. You can use the same variables along with the process Reconfigure Load Balancer to change settings afterwards, see Reference - Ansible4IOM Processes 1.1.
Certain files in the IOM installation contain sensitive information like database passwords. Sensitive information in files cannot be completely avoided. For IOM sensitive data is stored in:
The directory $OMS_VAR/pdfhost contains PDF documents with sensitive content, e.g., invoices with address data, etc. Files in this directory are accessible by PDF FTP user and by operating system user running IOM application server. In IOM installations consisting of more then one IOM HA node, this directory is shared between different nodes, see Guide - Intershop Order Management - Technical Overview. The technology of sharing depends on the runtime environment, e.g., if IOM is running on Azure, the Azure file service is used to share the files between different nodes. It is important to keep these files secure on all levels explained before, at FTP server level, at operating system level and at sharing service level.
Define a clear strategy for log files, backups and archives. Those processes needs to be documented and most importantly be executed by the book. From a GDPR point of view deletion of those files (after retention period) is the most important thing besides security measures to keep them secure.
All properties stored in file $OMS_ETC/cluster.properties can be seen by everyone having access to admin console or Web management interface.
Except for the OMT user passwords that are hashed with a one way encryption, a database access allows to read all stored information, including sensitive business data. You should hence take great care in limiting the client access permissions to the strict minimum and to protect the database files. These are DBA tasks which are described within the official Postgresql documentation.
These major points are to be considered:
Intershop updates components and libraries with every major and some minor releases to close potential security leaks with the updated components and libraries.
The Intershop Support department informs about important security updates via newsletter security bulletin that is regularly sent to the named resources on the Intershop support contract.
It is recommended to run your IOM behind a firewall and/or reverse proxy. The only open port should be port 443 of your load balancer. Port 80 should not be necessary anymore.
Note