Beruflich Dokumente
Kultur Dokumente
Browser Security
User Guide
No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of TEMENOS Holdings NV.
Table of Contents
Overview ..................................................................................................................................................4
Setup ........................................................................................................................................................5
Security Configuration............................................................................................................................. 5
Default Security Configuration ............................................................................................................ 5
Version & Enquiries Filter .................................................................................................................... 6
T24 XML Filter ..................................................................................................................................... 8
Form field filter..................................................................................................................................... 8
Obfuscation ......................................................................................................................................... 9
User Name Stripping ........................................................................................................................... 9
Configuring Single-Sign-On (SSO) for T24 Browser ............................................................................ 10
Single Sign-On Filter ......................................................................................................................... 10
HTTP Request................................................................................................................................... 10
Configuring HTTP BASIC Authentication for T24 Browser................................................................... 11
Secure the BrowserWeb application ................................................................................................. 11
Specify the JAAS Realm for BrowserWeb ........................................................................................ 12
Deploy the JAAS Login Module ........................................................................................................ 12
Create & Deploy the JAAS Configuration File .................................................................................. 12
Login to T24 ...................................................................................................................................... 13
BASIC Authentication as a Single Sign-On Mechanism ................................................................... 13
Single Sign-On with Siteminder ........................................................................................................ 14
Configuring the ARC-IB Authentication Environment for 4TRESS ....................................................... 16
Java Security Configuration (both Web Server and T24 Server) ...................................................... 16
Creating a JCE Keystore ................................................................................................................... 18
Tomcat Server Java Environment ..................................................................................................... 18
Websphere server java environment ................................................................................................ 19
T24 Server Environment ................................................................................................................... 20
4TRESS Authentication Server Configuration .................................................................................. 21
4TRESS Configuration for Challenge-Response .............................................................................. 24
Configuring the ARC-IB Authentication Environment for RSA ............................................................. 25
Java Security Configuration (both Web Server and T24 Server) ...................................................... 25
Creating a JCE Keystore ................................................................................................................... 26
Tomcat server java environment ....................................................................................................... 27
Websphere server java environment ................................................................................................ 28
T24 Server Environment ................................................................................................................... 28
RSA sdconf.rec File........................................................................................................................... 28
RSA Properties File ........................................................................................................................... 28
Overview
The T24 Browser product is primarily a user interface to the T24 banking product used by the bank’s
own staff via their internal intranet. However, T24 Browser can be used over the internet, in particular,
the ARC Internet Banking (ARC-IB) product is aimed at the bank’s customers.
With this mind, this user guide details how to configure T24 Browser to take advantage of the additional
security features required for internet use.
Setup
Security Configuration
A number of security features have been implemented in the T24 Browser application.
These include:
• Integration with a third party authentication server
• Single Sign-On (SSO)
• HTTP BASIC Authentication
• Version / enquiries filter
• T24 XML filter
• Form field filter
• Obfuscation (internal and external)
• Strip user name
This section will discuss the security features implemented within the Browser application.
Details of the Integration with a third party authentication server follow in the next section.
Configuration for the filter is in the file versionsEnquiriesFilterConfig.xml, in the WEB-INF/conf directory.
This contains a top level <arcIbServletFilter>, which has zero or more <filterItem> child tags.
Each <filterItem> tag contains details of the version or enquiry that is to be allowed to pass into T24.
Any requests made to the BrowserServlet which do not satisfy one of the <filterItem> conditions will be
rejected (with an HTTP 403 error).
Within the <filterItem> tag, the following tags are used to specify details of the allowed requests:
• <requestType>
• <routineName>
• <application>
• <version>
• <enqname>
Each of these has a <match> tag, with an operator attribute of “equal” or “startsWith”, and the content of
the tag determines which requests to allow.
For example, the following filter will let through any requests with a request type of CREATE.SESSION:
<filterItem>
<requestType>
<match operator="equal">CREATE.SESSION</match>
</requestType>
</filterItem>
The following filter will let through any enquiries whose name begins with ARC.IB:
<filterItem>
<requestType>
<match operator="equal">OFS.ENQUIRY</match>
</requestType>
<enqname>
<match operator="startsWith">ARC.IB </match>
</enqname>
</filterItem>
This is to help with security – specifically in the instance where a cross site scripting attack is attempted.
Note that although the ARC-IB configuration protects against such attacks by preventing them from
making it to T24 in the first place (via the Form Field Filter, see below), it may be the case that such
data is already in T24, or is entered by a Browser deployment in a different configuration.
In the internal configuration, this property is empty which means that no checks take place.
If such a tag is detected in the user’s input, it will be rejected and the request blocked.
This filter is used for the HelpServlet and BrowserServlet.
For the BrowserServlet filter, the default for the ARC-IB configuration is:
• < */? *((?i)script|img|form|object|applet|embed|frameset|iframe) *>
Thus, it will block the tags commonly used for cross site scripting attacks outlined above.
For the HelpServlet, it simply stops a user from trying to break out of the help directory by using ‘..’:
• \.\.
The regular expressions used is specified in the web.xml (see the valid_input_regex parameter).
Obfuscation
The internal obfuscation functionality ‘mixes up’ the names of versions and enquiries on the client. This
is for security – to ensure that an end user cannot determine details of the exact versions and enquiries
that are being run.
The external obfuscation functionality ‘mixes up’ the Java Script code that makes it to the client. This is
again for security – a first line of defence to stop hackers from being able to understand how our
application works (by decoding the client side JavaScript functionality).
<filter>
<filter-name>SingleSignOnFilter</filter-name>
<description>
This filter handles Single Sign On requests
</description>
<filter-class>
com.temenos.t24browser.security.SingleSignOnFilter
</filter-class>
</filter>
.
.
<filter-mapping>
<filter-name>SingleSignOnFilter</filter-name>
<url-pattern>/servlet/BrowserServlet</url-pattern>
</filter-mapping>
HTTP Request
To ensure that the single sign on filter is invoked all http requests should contain a ‘Principal’, i.e. an
object that implements the public abstract interface java.security.Principal.
The Single Sign-On filter extracts the principal object from the http request using the ‘getUserPrincipal()’
function. This principal object is routed to the TC-Client where it will invoke an impersonate service to
reference the corresponding T24 username & password.
For further information on SSO configuration including LDAP, Certificates & Identities refer to the
‘Security Service – Installation & Configuration Guide – Release 1.5’
If the sign-on attempt fails the Browser sevlet will return a HTTP error 403 forbidden, if successful the
user will be presented with the appropriate T24 home page.
NOTE: Ensure that this path does NOT have spaces with-in it otherwise TomCat may report the
following exception:
java.io.IOException: "C:\JASS Config\t24BasicAuth.config" (No such file or directory)
Note the space between ‘JAAS’ and ‘Config’.
Login to T24
Once the above has been configured correctly, and the web server full reset, it is possible to test this
functionality by attempting to login to T24.
As soon as the user navigates to the T24 Browser URL e.g.
http://localhost:8080/BrowserWeb/servlet/BrowserServlet
A dialog will appear to prompt for a User name & Password. The T24 user name and password should
be supplied and ‘OK’ pressed.
If the credentials supplied are valid then the user will be presented with the appropriate T24 home page.
If the credentials are not valid and result in a ‘SECURITY VIOLATION’ then the servlet will respond with
a HTTP error 401 unauthorised.
NOTE: Due to web browsers such as IE & Firefox caching the user credentials and automatically re-
submitting them when required, it is necessary to close the browser window before an alternative set of
credentials can be supplied. This is standard behaviour of web browsers and BASIC authentication.
Users can be authorised & logged on to T24 in one step. If the credentials are not valid and result in a
‘SECURITY VIOLATION’ then the servlet will respond with a HTTP error 401 unauthorised.
To allow the user to log into the T24 Browser, following changes need to be done in the
OFS.SOURCE record of browser.
If the value for the field ATTRIBUTES is set as “PREAUTHENTICATED” and if value for the field
SOURCE.TYPE is set as SESSION, T24 BROWSER user will be treated as pre authenticated user. Only
sign on name authentication will be done.
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
You must change it to:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
If using the IBM provider, instead of the BouncyCastleProvider, you must add
security.provider.2=com.ibm.crypto.provider.IBMJCE
If using an HSM, you must add the appropriate class for the HSM you are using. Please
see the documentation from your HSM vendor for details.
Also in the java.security file, you must change the line:
#
# Default keystore type.
#
keystore.type=jks
to
#
# Default keystore type.
#
keystore.type=JCEKS
On an AIX or any other platform using an IBM java implementation without an HSM for key storage:
• Download the unrestricted security policy files from the IBM website appropriate for the
version of Java installed (1.5 or above).
• Extract the policy jar files and copy them to <JRE_DIR>/lib/security directory
• Modify the JRE_DIR/lib/security/java.security file as follows:
In the java.security file, you must change the line:
#
# Default keystore type.
#
keystore.type=jks
to
#
# Default keystore type.
#
keystore.type=JCEKS
If you wish to create your own JCE keystore file, several commercial key manager tools are available to
do so (e.g. IBMs Encryption Key Manager). Alternatively, a free tool such as JSTK (JavaSpaces
Technology Kit).
For JSTK, the appropriate commands are:
• Extract all files from jstk-1_0_1.zip.
• Open a command window and go to the expanded directory, \jstk-1.0.1.
• Run:
o bin\crypttool.bat genk -action store -keystore test.jceks -storepass foo -alias testKey -
keypass bar -keysize 256 -algorithm AES -kstype JCEKS
o Copy the test.jceks file to the appropriate location, as specified in the
temenos.arc.security.crypto.keystore property of the ARC-IB configuration files
See the appropriate vendor documentation on how to download and use IBM Encryption Key Manager.
Also the following jars must be taken from the 4TRESS deployment:
jbossall-client.jar (if 4TRESS is deployed on JBoss)
or
ws_runtime.jar (if 4TRESS is deployed on Websphere, not necessary if ARC-IB is on Websphere)
SS_4TRESS_PUBLIC_Client.jar (The 4TRESS client jar, available from the 4TRESS installation)
Examples of the arc_jaas.config for token based authentication and password based authentication can
be found in Appendices A and B respectively.
Also the following jars must be taken from the 4TRESS deployment:
SS_4TRESS_PUBLIC_Client.jar (The 4TRESS client jar, available from the 4TRESS installation)
Examples of the arc_jaas.config for token based authentication and password based authentication can
be found in Appendices A and B respectively. The contents of the appropriate example JAAS config file
must be added to the beginning of the Websphere wsjaas.conf file.
4TRESS on Websphere
export JBCJVMOPT1=-DARC_CONFIG_PATH=<CONFIG_DIR>/server.config
export JBCJVMOPT2=-DARC_CONFIG_APP_NAME=ARC
export JBCJVMOPT3=-Djava.naming.factory.initial=
com.ibm.websphere.naming.WsnInitialContextFactory
export JBCJVMOPT4=-Djava.naming.provider.url= iiop://<4TRESS_SERVER_IP>:2809
export JBCJVMOPT5=-Djava.naming.factory.url.pkgs= com.ibm.websphere.naming
Also the following jars must be taken from the 4TRESS deployment:
jbossall-client.jar (if 4TRESS is deployed on JBoss)
or
ws_runtime.jar (if 4TRESS is deployed on Websphere)
SS_4TRESS_PUBLIC_Client.jar (The 4TRESS client jar, available from the 4TRESS installation)
A server configuration file must also be set which contains the cryptography and 4TRESS system user
information. The system user properties to set are:
Configuration Property Description
temenos.arc.security.ftress.upauth.user <ENCRYPTED_4TRESS_SYSTEM_USERID>
temenos.arc.security.ftress.upauth.password <ENCRYPTED_4TRESS_SYSTEM_PASSWORD>
Authentication Types
All settings when creating the authentication types should be default except the following:
One Time Password Authentication Types
Authentication Name Authentication Authenticator Token/Password/Both
Type Adapter Manager
Adapter
AT_AIOTP One Time FTRESS_TOK FTRESS_DAM Token
Password
Fields such as “Valid days on creation”, “Valid days on update”, “Disable Threshold” and “Session
Inactivity Timeout” should be configured according to the banks policies.
Attribute Types
User Groups
The following fields should be added to the user groups so that they are visible when editing users. If
customers do not wish 4TRESS administrators to see the encrypted user ids and passwords then this
step can be ignored.
User Group Attribute Description
UG_EXTN Customer Password The customer password attribute
T24 Password The T24 password attribute
T24 User Id The T24 User Id attribute
Function Sets
status
Update login authenticator status Password
Update user external reference id Password
FS_T24FS Create login authenticator Both
Create user Both
Delete device authenticator Both
Delete user Both
Read user details Both
Search users Both
Update user attributes Both
FS_BIND Create device authenticator Token
Create login authenticator Token
Delete login authenticator Token
Search devices Token
Change password user not Token
present
Read reference data Token
Read audit log Token
Read user details Token
Search users Token
Update device authenticator Token
status
Update login authenticator status Token
Update user attributes Token
Update user external reference id Token
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
If using the IBM provider, instead of the BouncyCastleProvider, you must add
security.provider.2=com.ibm.crypto.provider.IBMJCE
If using an HSM, you must add the appropriate class for the HSM you are using. Please
see the documentation from your HSM vendor for details.
Also in the java.security file, you must change the line:
#
# Default keystore type.
#
keystore.type=jks
to
#
# Default keystore type.
#
keystore.type=JCEKS
On an AIX or any other platform using an IBM java implementation without an HSM for key storage:
• Download the unrestricted security policy files from the IBM website appropriate for the
version of Java installed (1.5 or above).
• Extract the policy jar files and copy them to <JRE_DIR>/lib/security directory
• Modify the JRE_DIR/lib/security/java.security file as follows:
In the java.security file, you must change the line:
#
# Default keystore type.
#
keystore.type=jks
to
#
# Default keystore type.
#
keystore.type=JCEKS
The keystore must be on the tomcat server. The same keystore must be copied to the T24 server if
using RSA managed PIN instead of the T24 managed external user password. The details of the key
must be in the relevant config fields of the arc_jaas.config file (see Appendices A or B):
temenos.arc.security.crypto.keystore.password="<JCE_KEYSTORE_PASSWORD>"
temenos.arc.security.crypto.keystore="<JCE_KEYSTORE_FILE_PATH>"
temenos.arc.security.crypto.key.password="<ENCRYPTION_KEY_PASSWORD>"
temenos.arc.security.crypto.key.alias="<KEY_ALIAS>"
temenos.arc.security.crypto.class="com.temenos.arc.security.authenticationserver.common.AESC
ryptographyService"
If you wish to create your own JCE keystore file, several commercial key manager tools are available to
do so (e.g. IBMs Encryption Key Manager). Alternatively, a free tool such as JSTK (JavaSpaces
Technology Kit).
For JSTK, the appropriate commands are:
• Extract all files from jstk-1_0_1.zip.
• Open a command window and go to the expanded directory, \jstk-1.0.1.
• Run:
o bin\crypttool.bat genk -action store -keystore test.jceks -storepass foo -alias testKey -
keypass bar -keysize 256 -algorithm AES -kstype JCEKS
o Copy the test.jceks file to the appropriate location, as specified in the
temenos.arc.security.crypto.keystore property of the ARC-IB configuration files
See the appropriate vendor documentation on how to download and use IBM Encryption Key Manager.
Examples of the arc_jaas.config for token based authentication can be found in Appendix D.
Examples of the arc_jaas.config for token based authentication can be found in Appendix D. The
contents of the appropriate example JAAS config file must be added to the beginning of the Websphere
wsjaas.conf file.
Parameter Value/Description
RSA_AGENT_HOST This parameter overrides the IP address of the
RSA agent host. In this case it should be set to
the IP address of the ARC-IB Web Server
machine.
SDCONF_LOC This gives the full path and name of the sdconf.rec
file generated in the RSA Authentication Manager
server. E.g. C:\RSA-config\sdconf.rec
RSA_LOG_FILE The path and name of the RSA log file. This will
contain log information for all RSA AM requests
through the API jar.
RSA_LOG_LEVEL This dictates the log level of which log messages
will be reported in the above log file.
Appendix
Appendix A - arc_jaas.config for token based authentication in ARC-
IB with 4TRESS
ARC {
com.temenos.arc.security.jaas.ArcLoginModule
Requisite
debug="true"
temenos.arc.security.ftress.userid.length="9"
temenos.arc.security.ftress.password.length="6"
temenos.arc.security.t24.password.length="12"
temenos.arc.security.ftress.isseeded="false"
temenos.arc.jaas.delegate="com.temenos.arc.security.jaas.DeviceAuthenticator"
temenos.arc.jaas.committer="com.temenos.arc.security.jaas.JaasCommitter"
temenos.arc.jaas.callback.override=""
temenos.arc.security.charset="UTF-8"
temenos.arc.security.ftress.user.attribute.t24user=""
temenos.arc.security.ftress.user.attribute.t24pass=""
temenos.arc.security.ftress.channel="CH_WEB"
temenos.arc.security.ftress.domain="DOMAIN1"
temenos.arc.security.ftress.authtype="AT_AIOTP"
temenos.arc.security.ftress.device.mode="SYNC"
temenos.arc.security.ftress.delimiter="|"
temenos.arc.security.crypto.keystore.password="keystorepass"
temenos.arc.security.crypto.keystore="C:/T24/config/test.jceks"
temenos.arc.security.crypto.key.password="keypass"
temenos.arc.security.crypto.key.alias="testKey"
temenos.arc.security.crypto.class="com.temenos.arc.security.authenticationserver.common.
AESCryptographyService"
;
com.temenos.arc.security.jaas.ArcLoginModule
Required
debug="true"
temenos.arc.jaas.delegate="com.temenos.arc.security.jaas.
JaasUsernamePasswordAuthenticator"
temenos.arc.jaas.committer="com.temenos.arc.security.jaas.T24AttributeCommitter"
temenos.arc.jaas.callback.override=""
temenos.arc.security.charset="UTF-8"
temenos.arc.security.ftress.user.attribute.t24user="ATR_T24UID"
temenos.arc.security.ftress.user.attribute.t24pass="ATR_T24PW"
temenos.arc.security.ftress.channel="CH_WEB"
temenos.arc.security.ftress.domain="DOMAIN1"
temenos.arc.security.ftress.authtype="AT_CUSTPIN"
temenos.arc.security.ftress.create.session="false"
;
};
Note: The Encrypted 4TRESS system user id and password in the configuration file can be encrypted
using the encryption tool supplied in the ARC-IB package.
temenos.arc.security.crypto.class="com.temenos.arc.security.authenticationserver.common.AESCryp
tographyService"
temenos.arc.security.rsa.configpath="C:/T24/Browser/sample.properties"
temenos.arc.security.ftress.delimiter="|"
;
};