Akana Platform Hardening Guide Versions 8.4 and Later

This document applies to versions 8.4 and later only. For a summary of available versions, please refer to Akana Platform Hardening Documentation.

Table of Contents

  1. Introduction
  2. Deployment Architecture
    1. Install Network Director on a separate container
    2. Install Internet-facing and administration applications on separate containers
    3. Configure all listeners, internal and external as HTTPS only
    4. Configure the Akana Administration Console (/admin) on a separate port
    5. Disable the Akana Administration Console domain as a login domain
  3. Configuration Settings in the Admin Console for the Container
    1. Add the unlimited strength policy to the JDK
    2. Configure the product to ignore downstream cookies
    3. Configure secure cookies
    4. Disabling SSLv3
    5. Disabling SSL renegotiation
    6. Restrict the cipher suites used
    7. Enforcing TLS 1.2 Only
    8. Limiting outbound SSL/TLS/Cipher support
    9. Limiting the scripting language allowed
    10. Prevent Forward Proxying
    11. Header Propagation in Network Director
    12. Header Propagation in Community Manager Subsystem
    13. Tune the API Security Credential Cache
    14. Configure the Anti-Virus Policy to scan for uploaded files
    15. Enabling CSRF protection
    16. Adding XSS exclusions
    17. Configuring X-FRAME-OPTIONS Header
    18. Configuring Server Header
    19. Securing the metadata service
    20. Configuration setting to limit XSLT transformation
  4. Configuration Settings in the Developer Portal User Interface
    1. Turning off User Account Enumeration
    2. Enforcing Challenge Questions and Answers
    3. Configuring Constraints on Security Challenge Questions and Answers
    4. Disallowing User Profile Modification
    5. Configuring Account Login Rules
    6. Configuring Password Complexity Rules

Introduction

Akana is a recognized leader in API Management and SOA Governance Automation solutions. Our platform-independent solution set includes the API Gateway, which is further broken down into Policy Manager, the centralized administration console, and Network Director, an intermediary that integrates with Policy Manager to provide high-performance, scalable API security and management capabilities. The solution also includes Community Manager, which provides a branded developer portal for the consumption of API by the developer.

This document describes the best practices and configuration settings to harden Akana's API Gateway and Community Manager products. This document is a supplement to Akana's existing Product Architecture document showing recommendations for a typical large enterprise.

Deployment Architecture

There are several best practices that cover the deployment of the product in a hardened environment.

An external HSM keystore can be used in place of the out of the box Policy Manager keystore (database). The configuration of Policy Manager with HSM is described in a separate document.

Install Network Director on a Separate Container

API traffic processing should be handled separately from Web traffic and Admin traffic. To this end, the Network Director should not be installed on the same container as Community Manager, or Policy Manager features:

Akana Administration Console

back to top

Install Internet-facing and Administration Applications on Separate Containers

There are two components to this:

  1. The Community Manager should not be installed on the same container as Policy Manager Console
  2. The Community Manager User Interface and APIs provide both consumer-facing and administrative functions. If needed by your security constraints, the administrative functions can be disabled in Community Manager. This will allow you to install different instances of Community Manager on different containers – and disable the administration functionality in the Internet-facing instance.

To disable the administrative functionality in the Community Manager:

In the Akana Administration Console, configure the following:

com.soa.atmosphere ->
atmosphere.config.denyUserRoles=SiteAdmin,BusinessAdmin,ApiAdmin,System Administrator,Security Administrator,Site Administrator

back to top

Configure all listeners, internal and external as HTTPS only

This is accomplished in two places in the product: Firstly, the listeners for the applications in the container are configured from within Policy Manager at Containers > {container_name} > Details > Inbound Listeners. Options for configuring port and PKI are available. Settings for two-way SSL mutual authentication are also available. It is best to choose either Accept client certificates or Require client certificates, based on customer security requirements.

Scope: All Containers

#Config for pm
#Thu Jul 10 23:47:51 PDT 2014
product.home=file\:/Users/example/soa/sm80/
org.eclipse.jetty.server.Request.maxFormContentSize=500000
felix.cm.dir=${felix.cache.rootdir}/cm
org.osgi.service.http.port.secure=9900
com.soa.provision.file.dir=${felix.cache.rootdir}/deploy
product.home.dir=/Users/janemead/soa/b962/sm80
com.soa.snapshot.directory=${felix.cache.rootdir}/snapshot
com.soa.provision.noInitialDelay=true
com.soa.http.host=127.0.0.1
com.soa.http.bind.all=false
com.soa.provision.bundles.start=true
com.soa.provision.poll=2000
org.eclipse.jetty.servlet.SessionCookie=JSESSIONID_pm
felix.shutdown.hook=false
container.name={container_name}

Note above the *.secure syntax used for the settings.

Secondly, the listeners for the applications in the container are configured from within Policy Manager at Containers > {container_name} > Details > Inbound Listeners. Options for configuring port and PKI are available.

back to top

Configure the Akana Administration Console (/admin) on a separate port

As shown above, this is configurable in the system.properties file for each container. The Akana Administration Console (/admin) and the other features installed in the container should ideally be configured on different ports. This will allow you to isolate the Akana Administration Console from the Internet.

Scope: All Containers

To do this, there are four steps.

To configure the Akana Administration Console on a separate port
  1. Update the /instances/{container_name}/system.properties file by setting the com.soa.http.host value to the hostname for your Akana Administration Console.

    Sample file:

    #Config for pm
    #Thu Jul 10 23:47:51 PDT 2016
    product.home=file\:/Users/example/soa/sm80/
    org.eclipse.jetty.server.Request.maxFormContentSize=500000
    felix.cm.dir=${felix.cache.rootdir}/cm
    org.osgi.service.http.port.secure=14443
    com.soa.provision.file.dir=${felix.cache.rootdir}/deploy
    product.home.dir=/Users/janemead/soa/b962/sm80
    com.soa.snapshot.directory=${felix.cache.rootdir}/snapshot
    com.soa.provision.noInitialDelay=true
    com.soa.http.host=10.1.1.2
    com.soa.http.bind.all.secure=false
    com.soa.provision.bundles.start=true
    com.soa.provision.poll=2000
    org.eclipse.jetty.servlet.SessionCookie=JSESSIONID_pm
    felix.shutdown.hook=false
    container.name={container_name}

    Modified value for hostname:

    com.soa.http.host={localhost}
  2. In the same file, set the org.osgi.service.http.port.secure value to a different port, not the one that the application is running on.

    Modified value for port:

    org.osgi.service.http.port.secure=23312
  3. Go into the Akana Administration Console. Click Configuration, then find the com.soa.admin.console category. Find the admin.console.localhost.only value and set it to true.
  4. Restart the container.

back to top

Disable the Akana Administration Console domain as a login domain

For additional security, you can disable the Admin Console domain as a login domain. This prevents users from logging in via the default domain.

Before disabling the Admin Console domain, make sure you've correctly set up and enabled a valid login domain that users can use, such as an LDAP domain.

For instructions for configuring a security identity provider via the Policy Manager console, refer to: Identity Systems: Configuration Options.

The Administrator for the Akana Administration Console can then assign the System Administrator role for the registry organization to users from the security identity provider, in the console. For instructions, see To Grant Admin Permission (Upgrade documentation).

To disable the Admin Console domain as a login domain:
  1. Log in to the Akana Administration Console.
  2. Click the Configuration tab.
  3. On the left, under Configuration Categories, scroll down to find the com.soa.admin.console category.
  4. Set the admin.console.domain.enabled property to false.
  5. Click Apply Changes.

back to top

Configuration Settings in the Admin Console for the Container

This section covers settings and tuning parameters relating to hardening, that you can configure in the Admin Console for the container, or at the command line for the container.

Add the unlimited strength policy to the JDK

To support long passwords when importing PKI from Java Keystores, you will need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. This is dependent on the JRE version being used and is available from Oracle. To install, copy the US_export_policy.jar and local_policy.jar files to the /lib/security directory for the JRE.

Scope: All Containers

back to top

Configure the product to ignore downstream cookies

This prevents the product from automatically storing and forwarding any cookies retrieved from the downstream APIs and Services.

Scope: All Containers

In the Akana Administration Console, configure the following:

com.soa.http.client.core ->
http.client.params.cookiePolicy=ignoreCookies

back to top

Configure secure cookies

This sets the product to only use secure cookies.

Scope: All Containers

In the Akana Administration Console, configure the following:

com.soa.platform.jetty ->
session.manager.factory.secureCookies=true

back to top

Disabling SSLv3

This configures the product to disable SSLv3.

Scope: All Containers

In the Akana Administration Console, configure the following:

com.soa.platform.jetty ->
http.incoming.transport.config.enabledProtocols=SSLv2HELLO,TLSv1,TLSv1.1, TLSv1.2

back to top

Disabling SSL renegotiation

There are no common reasons for supporting client-initiated SSL renegotiation, so wherever possible it's more secure to disable this setting so that it isn't supported.

Scope: All Containers

In the Akana Administration Console, configure the following:

com.soa.platform.jetty ->
http.incoming.transport.config.allowRenegotiate=false

back to top

Restrict the cipher suites used

Use only stronger cipher suites for SSL

Scope: All Containers

In the Akana Administration Console, configure the following:

com.soa.platform.jetty ->
http.incoming.transport.config.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

Note: Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files. See Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7. This must be added to the JRE.

back to top

Enforcing TLS 1.2 Only

Depending on the level of security required, you may way to restrict the protocol to TLS 1.2 only. Note - This will limit the accessibility of the platform to certain clients.

Scope: All Containers

Enable TLSv1.2 only:

com.soa.platform.jetty ->
http.incoming.transport.config.enabledProtocols=SSLv2Hello,TLSv1.2

Note: Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files. See Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7. This must be added to the JRE.

back to top

Limiting outbound SSL/TLS/Cipher support

You may also want to limit the protocols and ciphers the product will use for outbound connections.

Scope: All Containers

Configure the available protocols for outbound connections:

com.soa.http.client.core ->
https.socket.factory.enabledProtocols=TLSv1.2

Configure the available cipher suites for outbound connections:

com.soa.http.client.core ->
https.socket.factory.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Note: Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files. See Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7. This must be added to the JRE.

back to top

Limiting the scripting language allowed

In the Akana Administration Console, the Administrator can limit the scripting languages supported by the API platform. For example, you could choose not to support Jython. Limiting the supported scripting languages helps close the door on possible malignant efforts to hack the system using those scripting languages.

For maximum security, limit this setting to js only.

The setting is in the Akana Administration Console: Configuration > com.soa.script.framework, as shown below.

Limit the scripting language allowed

By default, all scripting languages supported by the platform are shown, as comma-separated values. To update, remove one or more values and click Apply Changes.

back to top

Prevent Forward Proxying

Prevent unauthenticated users from initiating arbitrary internal connections from the Community Manager portal.

Scope: Community Manager Containers

You can prevent forward proxying:

  • Via the developer portal user interface: Administration > Site, as shown below. Changing this setting in the user interface affects all containers for the installation.

    Limit forward proxy setting

  • In the Akana Administration Console for each container. Configure the following setting:
    com.soa.atmosphere.forwardproxy ->
    forward.proxy.allowedHosts=<Network Director Host(s) and/or Load Balancer host>

Values are comma separated.

back to top

Header Propagation in Network Director

Prevent the automatic propagation of certain HTTP headers through the Network Director, and also configure a translation of the X-Forwarded-Host header.

Scope: Network Director Containers

In the Akana Administration Console, configure the following:

com.soa.http.client.core ->
block.headers.interceptor.blocked=content-type,content-length,content-range,content-md5,host,expect,keep-alive,
connection,transfer-encoding,atmo-forward-to,atmo-forwarded-from

header.formatter.interceptor.templates=replace=X-Forwarded-Host:{host}

back to top

Header Propagation in Community Manager Subsystem

Prevent the automatic propagation of certain HTTP headers through the Network Director, and also configure a NULL (none) translation of the X-Forwarded-Host header.

Scope: Community Manager Containers

In the Akana Administration Console, configure the following:

com.soa.http.client.core ->
block.headers.interceptor.blocked=content-type,content-length,content-range,content-md5,host,expect,keep-alive,
connection,transfer-encoding

header.formatter.interceptor.templates=

back to top

Tune the API Security Credential Cache

You can configure the expiration period and refresh time for the security cache for API calls.

Scope: Network Director Containers

In the Akana Administration Console, optionally configure the following:

com.soa.api.security ->
com.soa.api.security.cache.expirationPeriod=3600000
com.soa.api.security.cache.refreshTime=300000

back to top

Configure the Anti-Virus Policy to scan for uploaded files

The Anti-Virus Policy scans for files that are uploaded from the Community Manager Portal.

Scope: All Community Manager Containers

In the Policy Manager Console, create an Anti-Virus Operational Policy and configure the policy.

Create Anti Virus Policy

Attach this policy to the ConsoleResourceAPIService and the ContentAPIService in the Policy Manager > Community Manager node in the Policy Manager Console Organization tree.

Attach Anti Virus Policy

back to top

Enabling CSRF Protection

You can enable and disable CSRF protection in the Policy Manager and Community Manager User Interfaces.

Scope: All Community Manager and Policy Manager Containers

Due to the fact that Policy Manager is not Internet-facing, this setting is disabled by default. You can enable CSRF protection in the Policy Manager in the Akana Administration Console:

com.soa.console.csrf ->
org.owasp.csrfguard.Enabled=true

In Community Manager, CSRF configuration is under Administration > Settings > Security:

Enable CSRF Support

back to top

Adding XSS exclusions

Cross-site-scripting (XSS) is a way to inject client-side script into Web pages viewed by other users.

Scope: All Community Manager and Policy Manager Containers

To configure any exceptions to the exclusion policy:

com.soa.console.xss ->
exceptionURLs=[COMMA DELIMITED LIST]

To configure any new keywords that should be excluded:

com.soa.console.xss ->
keywords=[COMMA DELIMITED LIST]

To turn XSS validation on/off:

com.soa.console.xss ->
validate=[true|false]

back to top

Configuring X-FRAME-OPTIONS Header

The X-FRAME-OPTIONS header plays a role in determining if and how the user interface can be embedded within an iFrame in a third-party site.

Scope: All Community Manager and Policy Manager Containers

To configure Community Manager:

com.soa.atmosphere.console ->
atmosphere.console.config.xFrameOptions=[DESIRED HEADER]

To configure Policy Manager:

com.soa.console.xss ->
xFrameOptions=[DESIRED HEADER]

back to top

Configuring Server Header

You might want to prevent the Server header from being returned in responses.

Scope: All Community Manager and Policy Manager Containers.

In the Akana Administration Console for each container, configure the following:

com.soa.platform.jetty -> jetty.server.sendServerVersion = false

Note: this property does not exist by default, so you will probably need to add it.

back to top

Secure the metadata service

The Metadata API includes details about the container, such as public keys, internal IP addresses and file locations, which you probably don't want to share broadly. This information could potentially aid an attacker in fingerprinting and enumerating the Policy Manager application or discovering how some of the Java servlets are configured.

For additional security, we recommend that you secure this API for all containers. Follow the steps below.

To secure the metadata service (must be done separately for each container):
  1. Log in to the Akana Administration Console.
  2. Click the Configuration tab.
  3. On the left, under Configuration Categories, scroll down to find the com.soa.metadata.service category.
  4. Add a new property:
    • Property name: metadata.basic.auth.filter.enabled
    • Property value: true
  5. Click Apply Changes.

back to top

Configuration setting to limit XSLT transformation

API Platform Version: 8.4.13

A configuration setting prevents XSLT transformation, by default. This helps protect against malicious attacks.

Scope: All Containers

The configuration setting to prevent XSLT transformation:

com.soa.framework.xsl.transform ->
java.extension.enabled=false

In the Akana Administration Console:

java.extension.enabled setting

By default, this is set to false, to disallow XSLT transformation.

back to top

Configuration Settings in the Developer Portal User Interface

Turning off User Account Enumeration

User Account Enumeration occurs when the Community Manager user interface provides direct feedback to a user during the signup and registration processes to the effect that a user account already exists or is already registered. If this is turned off, no useful feedback is provided to the user, minimizing the security risk, but decreasing usability.

Scope: All Community Manager Containers

In Community Manager, User Account Enumeration configuration can be found under Administration > Settings > Security:

Allow User Enumeration

back to top

Enforcing Challenge Questions and Answers

Challenge Questions/Answers are often required to increase security around password reset. When signing up to the platform, the user must provide the answer to one or more security questions, if the platform is set up to require them. The user's answers are stored in the database, and the user must answer one or more security questions on demand to perform certain functions such as resetting a password or changing the user profile.

In Community Manager, the Challenge Questions/Answers configuration can be found under Administration > Settings > Users:

User Settings

Set Enforce Challenge Questions on Login to Enabled.

Additional settings can be found under Administration > Settings > Security:

Encrypt Challenge Answers

back to top

Configuring Constraints on Security Challenge Questions and Answers

API Platform Version: 8.4.6 and later

For each security question set up in the developer portal, as well as specifying the actual question, the Site Admin can configure constraints such as minimum and maximum number of letters, numbers, and special characters allowed or required in the answers, whether answers are case-sensitive, and whether spaces are allowed.

The Site Admin can delete questions; however, if any users have already set up answers to questions that are then deleted, those questions and answers are still available for account verification purposes.

Security question settings can be found under Administration > Settings > Challenges:

Configuring constraints on security challenge answers

Note: In the developer portal, the security challenge feature doesn't allow users to give the same answer twice. This is a precaution against users being lazy and using a default value, which is less secure, rather than setting up authentic answers to the questions.

For more information about configurable settings in the developer portal, see Site Resource Settings (Site Admin help).

back to top

Disallowing User Profile Modification

User Profile Modification permits a user access to their own profile for modification. In some circumstances, you may wish to prevent this (e.g. when user accounts are pre-provisioned).

Scope: All Community Manager Containers

In Community Manager, User Profile Modification configuration can be found under Administration > Settings > Security:

User Profile Modification

back to top

Configuring Account Login Rules

The account login rules may include many options regarding failure attempts allowed, including account suspension times, and other settings.

Scope: Community Manager

Login policies can be set:

  • Via the developer portal user interface: Administration > Settings > Login, as shown below.

    Login Policy page

  • Via an API call into the system.

back to top

Configuring Password Complexity Rules

Password requirements (rules) may include many options such as length, characters allowed/required, and password change period.

Scope: Community Manager

Password rules can be set:

  • Via the developer portal user interface: Administration > Settings > Password, as shown below.

    Login Policy page

  • Via an API call into the system.

back to top