OpenWGA 7.9 - OpenWGA Concepts and Features

Administration » Security

Ensuring basic security

The topics discussed here should be a mandatory to-do for every OpenWGA server that is exposed to public access.

Reduce administrative and/or authoring access to a private TCP port

Administrative access to an OpenWGA server, like using OpenWGA admin client, is of course a very security-sensitive feature which should not be done via public, unencrypted connections.

In order to secure administrative access you should:

1. Have a second TCP port by which you can access your OpenWGA server, separate from the port used for public access.

A good and easy choice for this is often port 8080, as it is a port that is available anyway on standard OpenWGA installations where an Apache Tomcat Server is used to run OpenWGA and directly provides it on port 8080 while a separate HTTP server controls regular public access to OpenWGA on ports 80 and/or 443.

2. Ensure that this second port is not open for public access

This is often just a matter of firewall configuration. Just ensure that port 8080 - or whatever port you want  to use for exclusive administrative access - may not be accessed from the Internet, either on your intranets firewall or on a firewall on your OpenWGA server itself.

If If administrators and the OpenWGA server are on the same intranet this is often all that needs to be done. If however your administrators themselves need administrative access from the Internet then the best solution may be to provide a Virtual Private Network (VPN) by which your Admins can build a secure and encrypted connection to the OpenWGA server or your intranet. When using the VPN your administrators will act like being on the same LAN with your OpenWGA server. Just ensure that your firewall allows access to your administrative port from there.

3. Configure OpenWGA to restrict administrative access to your private port

You should ensure that you have access to OpenWGA on your private port before doing this, otherwise you will lock yourself out of administration!

Open OpenWGA admin client and do the following:

  • Enter "Expert mode" by checking the checkbox to the top right
  • In Menu choose "Configuration > Advanced Configuration"
  • On Tab "Port restrictions" click button "Edit"
  • Under Section "Admin tools port restrictions" click button "Add new entry..."
  • On the field "Value" enter the number of your administrative port and click button "Add entry"
  • Click button "Save"

Access to administrative resources is now restricted to the given port. This includes:

  • Access to administrative applications, prominently OpenWGA admin client
  • Usage of administrative actions on OpenWGA SOAP Web Service, i.e. all actions that use an administrative login. This also include many OpenWGA developer studio functions interacting with an OpenWGA server like design synchronisation, plugin upload etc.

4. Optionally do the same for authoring access

These same can be used to restrict access to authoring applications like OpenWGA Content Manager to a specific port. As you can see on the "Port restrictions" tab there is also a section "Authoring access port restrictions" where you can set a port to be exclusively used for authoring.

Review names & passwords of OpenWGA administrators

Administrative access to your server may be restricted. It nevertheless is a good idea to ensure that your administrator login may not be guessed. The best way to ensure this is to change both, login name and password, to be non-default, i.e. not name "admin" and - most importantly - not password "wga".

If you setup your OpenWGA server using the setup assistant you may have already done this. However, here are instructions how to do this via admin client:

  • In OpenWGA admin client select from the menu "Configuration > Administrators"
  • Click button "edit"
  • Click button "Add new administrator"
  • Enter data for a new administrative user
    • Choose a name that is not "admin"
    • Choose a secure, not guessable password that is not "wga". According to common standards for secure passwords it should be at least 8 characters long and contain upper-case letters, lower-case letters, numbers and also some sign character.
  • Click button "Add administrator"
  • Click button "save"
  • Change to the new administrator login: Click the button "Logout" on the top right and then logon with the new administrator user
  • On the menu choose again "Configuration > Administrators" and click "Edit"
  • Click button "delete" on the default administrator user "admin" then click "save".

Use a modern hashing algorithm for password storage

This only applies to OpenWGA servers which were initially installed as OpenWGA version 6.0 or earlier.

As anyone can tell from the news about stolen user passwords from public websites and services one should never be too sure that his systems data will always be protected from malicious access. Because of this it should be assured that in case that stored user passwords are stolen these cannot be reconstructed. This is a matter of the choosing a hashing algorithm for encrypting these passwords on storage. If you use authentication source "Content Store" anywhere on your server, meaning that you authenticate users against user definition documents stored in a content store, then the passwords of these users are encrypted by a hashing algorithm before they are stored to these user documents.

A hashing algorithm is used to encrypt passwords in a non-reconstructible way, i.e. the encrypted version cannot be decrypted. But the encrypted "hash" still can be used to be compared to entered cleartext passwords. If this entered password is encrypted the same way and the resulting hash equals the one of the stored password then the original passwords were the same.

Up to OpenWGA 6.0 we used a hashing algorithm named "SHA-1" for this cause, which was modern at the time we introduced it but later proved to be at least vulnerable for modern reconstruction techniques. Because of this we changed the default hashing algorithm to the more modern "BCrypt-10" which is safe from reconstruction by current state of knowledge.

However servers that were updated from 6.0 to 6.1 remained on the old algorithm as it was possible that the user data needed to downward-compatible because servers of earlier versions still needed to use them. The update guide for 6.1 informed about that fact. If you didn't change hashing algorithm, and your data is no longer accessed by OpenWGA server versions earlier than 6.1, then you may choose the algorithm now:

  • OpenWGA Admin Client, Menu "Configuration" > "Basic Settings"
  • Click the "Edit" button
  • A new setting labeled "Storage of passwords: Uni-Directional" should have been added to section "Other settings"
  • Change the value of the setting to "BCrypt 10 Hashing"
  • Click the "Save" button

From now on newly determined password will be stored in the bcrypt algorithm.

Old passwords that were stored using SHA-1 will still be usable. They however cannot be migrated automatically to the new format because the original passwords cannot be restored. In order to be stored in the new format they will have to be set again.

Stay up-to-date with the OpenWGA blog

The OpenWGA blog is the place were we publish up-to-date information about maintenance releases that become available, security issues that are discovered including their countermeasures and generally everything that may be of interest for anyone maintaining an OpenWGA server. We recommend following this blog in order to be informed and prepared for any security threat that may occur.

With OpenWGA we have a relatively strict scheme for releasing maintenance releases every month, usually in the first two weeks each month. These address any issues that were found in that range of time. If we encounter a serious security issue on a current release we also do "patch releases" out of the schedule, normally in a matter of days after the vulnerability was found.

It is generally not necessary to update to each maintenance release every month unless you need a specific issue fixed. However there may be certain issues like security-related ones where we will recommend an immediate update on the blog or where we will outline other ways to remove the threat.