No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Hardening Policy

Hardening Policy

Hardening Tomcat

Tomcat is hardened as follows based on open-source software during FusionInsight HD software installation and use:

  • The Tomcat version is upgraded to the official version apache-tomcat-8.5.34.
  • Rights on directories under webapplications are set to 500. Some directories under webapplications support the write permission.
  • The Tomcat installation package is automatically deleted after system software is installed.
  • The automatic deployment function is disabled for projects under webapplications. Only two projects, web and cas projects, are deployed.
  • Some unused http methods are disabled, preventing attacks by using the http methods.
  • The default shutdown port and command of the Tomcat server are changed to prevent hackers from shutting down the server and attacking servers and applications.
  • To ensure security, the value of maxHttpHeaderSize is changed, which enables server administrators to control abnormal requests of clients.
  • The Tomcat version description file is modified after Tomcat is installed.
  • To prevent disclosure of Tomcat information, the Server attributes of Connector are modified so that attackers cannot obtain information about the server.
  • Rights on files and directories of Tomcat, such as the configuration files, executable files, log directories, and temporary folders, are under control.

Hardening LDAP

LDAP is hardened as follows after a cluster is installed on FusionInsight HD:

  • In the LDAP configuration file, the password of the administrator account is encrypted using SHA. After the openldap is upgraded to 2.4.39 or later, data is automatically synchronized between the active and standby LDAP nodes using the SASL External mechanism, which prevents disclosure of the password.
  • The LDAP service in the FusionInsight HD cluster supports the SSLv3 protocol by default, which can be used safely. When the openldap is upgraded to 2.4.39 or later, the LDAP automatically users TLS1.0 or later to prevent unknown security risks.

Hardening JDK

  • If the client process uses the AES256 encryption algorithm, JDK security hardening is required. The operations are as follows:

    Obtain the Java Cryptography Extension (JCE) package whose version matches that of JDK. The JCE package contains local_policy.jar and US_export_policy.jar. Copy the JAR files to the following directory and replace the files in the directory.

    Linux: JDK installation directory/jre/lib/security

    Windows: JDK installation directory\jre\lib\security

    NOTE:

    Access the Open JDK open-source community to obtain the JCE file.

  • If the client process uses the SM4 encryption algorithm, the JAR package needs to be updated.

    Obtain the SMS4JA.jar in Client installation directory/JDK/jdk/jre/lib/ext/, and copy the JAR package to the following directory:

    Linux: JDK directory/jre/lib/ext/

    Windows: JDK directory\jre\lib\ext\

Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6196

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next