Posts Tagged ‘Security’
Give me a place to stand on, and I will move the Earth.
This is a legend ascribed to the famous Archimedes, genius of antiquity. When he understood the basic principles behind the lever he felt its power and he started seeing them in a different way. His paradigm changed.
In a similar way SSH is a tool that can completely change the way you work, for good. Let me show you why you, as a system integrator, should be interested in its wonders. And I can assure you that if you get familiar with the basic principles behind it you’ll be able to perform tasks you would never possibly imagine.
Case 1: Browsing through a remote computer
There are multiple situations where browsing through a remote computer is interesting:
- IP address restrictions: a customer has restricted access so that I can only access a remote machine from my network at work. I am at home and I really need to access this server.
- Content filtering: I am located in a network or a country that restricts my Internet connection. And I really need to access some pages which are key to do my job.
- Remote LAN access: I have access to a remote computer. But I would like to access the ERP or database of another computer in the same local network.
So this is the magic that makes this possible:
ssh -D 8888 johndoe@remote_computer
This basically converts the remote computer into a proxy server only for you. So that you just need to provide this information to your web browser. Using Firefox as an example, you’d need to go to Preferences → Advanced → Network → Settings, then select Manual proxy configuration and finally enter localhost in the SOCKS Host field and 8888 as the port number. The simplest way to verify it’s working is to visit whatismyip.org so that you can verify your IP address, it should be the remote one.
Case 2: Securely connect to a remote database
This is a typical case scenario. The remote machine has only SSH opened and there is no direct access to the database. Let’s suppose it’s PostgreSQL running on port 5432 on the remote computer, but the port is not opened to the outside world, only to local connections. So as have SSH access you can ask it to redirect the remote 5432 port into any port of your local machine, like 5433:
ssh -L 5433:localhost:5432 johndoe@remote_computer
Now you can start psql, pgAdmin or your favorite client and use localhost as the host and 5433 as the port in the connection details.
As for Oracle the concept is the same and just the port numbers change:
ssh -L 1522:localhost:1521 johndoe@remote_computer
Case 3: Expose my local ERP into a remote network
Let’s suppose that I have Openbravo ERP beautifully running in my local machine, it includes some nice new changes we’ve been working on. I would like to show it to Mike and Sandra, but they are located in a remote network. I am in a hotel, there is no way I can ask the IT staff of the hotel to open a port for my users to access the ERP in my computer. SSH comes to the rescue again: basically you can perform the opposite operation of Case 2, and forward your local Web Server port into any port of a remote machine:
ssh -R :9999:localhost:80 johndoe@remote_computer
So now I can ask Mike and Sandra to enter http://local_ip_of_remote_computer:9999 and bingo, they can access my ERP installation.
Important note: for this feature to work the server’s SSH configuration (sshd_config) must have the GatewayPorts option set to yes.
Case 4: Securely connect to a remote database available only in the LAN
Now let’s suppose I have SSH access to remote_computer, but not to remote_computer-2, which is is in the same LAN as the first one. And I want to access the database in remote_computer-2 using my graphical SQL client. There are multiple ways of solving this situation, by using variants of Case 1 or Case 2. We’ll do it extending the first case. Firstly, open the SSH connection and establish the local proxy server:
ssh -D 8888 johndoe@remote_computer
Now we want to tell our PostgreSQL client to use this proxy. But usually they don’t support this feature. So here proxychains comes to the rescue. This is a tool that allows you to make any program use the Internet connection through that proxy. Once it is installed, it requires a minimal configuration in $HOME/.proxychains/proxychains.conf, only required the first time you use it:
DynamicChain tcp_read_time_out 15000 tcp_connect_time_out 10000 [ProxyList] socks5 127.0.0.1 8888
From now on you can prepend the proxychains command to your program and it will go to the Internet using the proxy server connection. So for example in our case we would go a terminal and run:
proxychains psql -d openbravo -U tad -h localhost -p 5433
As you can see SSH opens a new world of possibilities for you. Invest some time playing with it, you won’t regret.
Some final words for Windows users: don’t worry, this is not valid for UNIX based systems only. If you run Windows in your computer you can use PuTTY to achieve exactly the same results.
UPDATE (2010/04/26): adding the GatewayPorts requirement and the corrected ssh command based on Asier’s comments.
- Continuous Integration: there is a new job that tests upgrading from the last stable MP to the latest daily OBX file. This has been done using the command line. A graphical test is in progress.
- Live builds: the main page has been refactored and it now includes detailed build information as well as the runtime Tomcat log.
- Appliance security updates: previous versions of the appliance are vulnerable to a man-in-the-middle attack during TLS session renegotiation. This vulnerability has been addressed in this update. Check the full changelog at the newly created appliance release notes.
- Documentation: check the new document explaining our stack configuration in the appliances.
- Issue Tracker: we are working on upgrading to version 1.2.0, which includes new interesting features. Many things have changed in this version so this process will take longer than a regular update. A new testing server will be announced soon.
- Download area: the SourceForge download area has been updated to include only the latest 3 releases. The older ones have been moved to the 09-openbravo-old-releases directory.
For a complete list of the on-going stories we’ve been working on, check the Sprint 28 page of our Scrum spreadsheet.
Being Openbravo ERP a web based application, using SSL is currently a must for those who appreciate their privacy. Think about the kind of data that is transferred in an ERP: customer details, transactions with business partners, invoices, balance sheets, etc. Not using SSL basically exposes all this information to anyone around with a network sniffer.
This article assumes that you already have a working Openbravo ERP installation, using the following software stack:
- Apache Tomcat 6.0.x with the Tomcat Native libraries, version 1.1.x.
- Apache httpd web server 2.2.x with mod_ssl.
- The mod_jk 1.2.2x connector for the Tomcat and httpd integration.
If you try to use Openbravo ERP with the default configuration, then you will find some problems. Namely:
- All the reports generated by Jasper Reports don’t work, displaying an error such as the following one:
- It’s slow. Noticeably slower than running it under plain HTTP, as if every request took an additional time of 100ms and 1 s, and as if nothing was being cached.
09:23:59 [ajp-8009-3] WARN org.openbravo.erpCommon.utility.ErrorTextParserPOSTGRE - did not find constraint name for error message: Error loading byte data : https://localhost:4443/openbravo/web/images/CompanyLogo_big.png
Needless to say that these are showstopper issues, because the first one prevents you from e.g. printing invoices and the second one makes it very unpleasant. Let’s fix these issues.
The first error is caused by the fact that the Java process that generates the reports requires some images located at a SSL protected URL of your server. And it doesn’t trust the provided certificate, so it fails. Actually this is supposed to be a feature, because it’s verifying that the site is really who it claims to be. There are two ways of solving this. The first one requires buying a SSL certificate from an approved provider and it’s appropriate for production servers. The second one doesn’t require to buy anything, and it’s suitable for testing servers.
For production servers:
- Register a (sub)domain name for for your ERP, e.g. openbravoerp.mydomain.com
- Buy a SSL certificate for openbravoerp.mydomain.com. You can find them for ~$70/year.
- Register openbravoerp.mydomain.com in the internal DNS server of your LAN, in case the server is hosted in-house. If you don’t have one, it’s time to set it up. There are tiny DNS servers that take no more than 5 minutes to install and set up.
For testing servers:
- If it’s going to be exposed to the Internet, register a (sub)domain name for the ERP in a free DNS service, such as DynDNS, e.g. erp-atlantis.dyndns.org
- Generate s self-signed certificate using OpenSSL.
- Import the SSL certitificate into the local JDK. Go to a command line terminal, download the InstallCert utility and run the following commands:
- Restart Tomcat to apply the changes of the previous step.
- For using the ERP in your LAN, register erp-atlantis.dyndns.org in your internal DNS server.
javac InstallCert.java java InstallCert erp-atlantis.dyndns.org cp jssecacerts $JAVA_HOME/jre/lib/security
There are two separate issues regarding slowness. First of all, the web browser starts a new SSL negotiation in every request, adding a 100ms-1s delay to every single request. To fix this, make sure your Apache httpd configuration has the KeepAlive option turned on:
KeepAlive On MaxKeepAliveRequests 200
In this case we have also doubled the number of allowed alive requests, because it is expected that this numbers grows as we now allow persistent connections.
The second issue is related to the cache. SSL does not store cache in disk between sessions, for the sake of security. But there is a performance penalty. So this a trade-off you need to decide. To make Apache httpd save the cache between sessions, we need to set the Cache-Control header to Public. This can be achieved by using the mod_headers module:
Header unset Pragma Header append Cache-Control "public"
I want to thank katratxo for finding the solution to the cache issue.