Upload
others
View
7
Download
1
Embed Size (px)
Citation preview
Sponsored by Powered by
Moving at the Speed of Change May 2015
Charlotte PowerBuilder Conference
Securing your Appeon Mobile &
Web Applications
For PowerBuilder, Appeon Web & Appeon Mobile
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
• Email: [email protected] • Blog: http://chrispollach.blogspot.ca • PBDJ: http://chrispollach.sys-con.com • LinkedIn: http://ca.linkedin.com/in/chrispollach • SourceForge: http://sourceforge.net/projects/stdfndclass • STD: http://www.softdie.ca
2 Securing your Appeon Applications
An Actual Implementation Case Study!
By Chris Pollach – President: Software Tool & Die Inc.
Ottawa, Canada
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
3
Implement a Secure
Application Login!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
4 Use Appeon’s Built-In LDAP Features
Implement using APPEON’s LDAP Method…
• of_ldaplogon ( string as_username, string as_password )
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
• Can not use CONNECT command if using Appeon Cache feature! • Need to perform a real DB Connect • Solution: Use a Web Service!
5 Use a DB Login Account!
Tip: Check out the example OrderEntry
application from the STD Foundation
Classes framework!
http://sourceforge.net/projects/stdfndclass
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
6 Web Service Relationship
Web Service
Command Shell (+)
OCR Imaging
Framework (@)
Log
Spell
Check
WSDL
Win32/64
WDSL (proxy)
Framework (@)
PDF ??? ...
Application Server
Appeon
Web
WDSL (proxy)
Framework (@)
Appeon
Mobile
WDSL (proxy)
Framework (@)
LDAP
DEMO!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
Use AD for … • Login privileges (given Application) • Group participation (given user) • Role participation (given user) • Check out my Active Directory
presentation session for more details!
7 Use Active Directory Directly!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
8 Active Directory via Web Services!
Command Shell (+)
Web Service *
Framework (@)
WSDL
Win32/64
WDSL (proxy)
Framework (@) Application Server
Appeon
Web
WDSL (proxy)
Framework (@)
Appeon
Mobile
WDSL (proxy)
Framework (@)
LDAP
Log
Legend * - Web Service developed in PowerBuilder 12.x
+ - MS-Windows “PowerShell” operating system API.
@ - Open Source GNU/GPL Web Service framework
(STD Foundation Classes)
LDAP: Lightweight Directory Access Protocol
Active
Directory
Server
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
9
Ensuring an Encrypted
Web Session
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
10 Installing a Certificate
RHMB
Run: certmgr.msc
Can also be pushed out via
(SMS) Systems Management
Server!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
11 Client Certificate
Run: certmgr.msc
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
12 Server Certificate (IIs)
Run: certmgr.msc
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
SSL Activation 1. Start the IIS Console from the MS-Windows
Control Panel’s “Administrative Tools” section.
2. In the IIS Console’s SYSTEM TREE, select (highlight) the production web site name.
3. In the centre work area (pane) of thee IIS Console, scroll down to the IIS section and then double-click the SSL Settings entry.
13 Enabling SSL in IIs
SSL Settings 1. In the actual SSL Settings dialogue ensure
that the “Require SSL” check box is not checked (off).
2. Then select either the Require or Accept radio button.
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
14 Enable SSL in your Application!
SSL Activation – Step #1 1. In the IIS Console’s SYSTEM TREE, select (highlight)
and expand the production web site name. 2. In the expanded list, navigate and select (highlight)
the your Web / Mobile application name. 3. In the centre work area (pane) of thee IIS Console,
scroll down to the IIS section and then double-click the SSL Settings entry.
SSL Activation – Step #2 1. In the resulting “SSL Settings” work area of the IIS
Console, check the “Require SSL” check box (ON). 2. In the “Client Certificates” area, check the “Accept”
radio button (ON). Note: Do not select the “Require” radio button unless two-
way certificates are being used. Most web application use a one-way trust – so the “Accept” setting is the only one to use!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
15
Automatic HTTP to
HTTPS Switching!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
• Step#1 - Create a Web Page (ie: SSLredirect.htm) as follows:
16 Automatic SSL switching ( HTTP=>HTTPS )
<!-- beginning of HttpRedirect.htm file -->
<script type="text/javascript">
function redirectToHttps()
{
var httpURL = window.location.hostname + window.location.pathname ;
var httpsURL = "https://" + httpURL ;
window.location = httpsURL ;
}
redirectToHttps() ;
</script>
<!-- end of HttpRedirect.htm file -->
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
17 Install the Redirection Web Page!
Step#1 1. In the IIS Console’s SYSTEM TREE,
select (highlight) the production web
site name.
2. In the centre work area of the IIS
Console, scroll down to the IIS
section.
3. Within this work area, double-click
the “Error Pages” item to open it.
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
18 Install the Redirection Web Page (Continued)
Step#2 1. To the right of the “Error Pages” work area,
select the “ADD” link in the “Action” pane.
2. In the resulting “Add Custom Error Page”
dialogue, enter the value “403.4” (SSL is
required to view this resource) in the Status
Code field.
3. Next, select the BROWSE command button
and point the 403.4 error code to use the
“SSLredirect.htm” file that you copied in
the previous section to the root of the IIS
web server’s working root folder.
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
19 Install the Redirection Web Page (Continued)
Step#3 1. In the resulting “Add Custom Error Page”
dialogue, enter the value “403.4” in the Status
Code field.
2. Next, select the BROWSE command button and
point the 404.3 error ode to use the
“SSLredirect.htm” file that you copied in the
previous section to the root of the IIS web server’s
working root folder.
Note: Now, when an HTTP connection is refused the logic in the
“SSLredirect.htm” web page will retry the connection using the
HTTPS protocol instead. If the users’ workstation certificate is
authenticated under HTTPS, then your Appeon application will
now start an encrypted session automatically!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
20
Building A Session
Timeout Web Page
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
21 Locate the default Web Page
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
22 Revise theSession Timeout Web Page
td style="width: 50%;">Please perform one of the following
actions:<br>
<ul>
<li>Click
<!--a href="$$URL$$" class="style1"><font face="Verdana" size="2">Restart</font></a-->
<script language="Javascript">
var url = window.location.search;
var pos = url.indexOf( "?" );
var appurl = url.substr( pos + 1 );
appurl = '<a href="' + appurl + '" class="style1"><font face="Verdana" size="2">Restart</font></a>'
document.write( appurl );
</script>
to log into the application again</li>
<li>Click
<a href="#" onclick="closeIE()" class="style1"><font face="Verdana"
size="2">Close</font></a><font face="Verdana" size="2"> to exit the application</font></li>
Tip: To test this, start the PCI Human Image Redaction web application. In the IIS console,
restart the IIS Web server. Now, click on any link in the web application and you should see the
above web page appear!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
23
Implement an
Application Timeout !
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
• Use the IDLE ( ) Method to activate! • Code the IDLE Event to display a
Timeout dialogue! • Provide a link back to the application
but force the user to login again to continue!
24 Use PowerBuilder’s IDLE feature!
Tip: Use a Timer on the application
timeout dialogue to close the dialogue
and exit the application if the user
does not respond in a reasonable time
frame.
This closes a security TRA and forces
Appeon to free up a Web/Mobile
session!
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
Securing your Applications
Summary
• DB Login
• Active Directory
• SSL
• Session Management
• Timeout Management
Lessons Learned
• Don’t underestimate the extra work to secure your PB/Appeon applications.
• Log everything • Perform a proper TRA
(Threat & Risk Assessment) • Design for security!
25
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
Questions?
26 Q&A Session
Charlotte PowerBuilder Conference Moving at the Speed of Change May 2015
Have you hugged your DataWindow today? 27