Security

**//On this page~://**

iSymphony opens several ports for communication with the outside world. These ports include the Web Ports used by the server to provide both the Administration and Client web interfaces, the REST API and Voicemail and Recording Agent file servers. The iSymphony server is broken up into several subsections call servlets. Each servlet can have several layers of security activated on them in order to prevent unauthorized access and man in the middle attacks.

6

7

= Securing Servlets =

8

9

Your iSymphony install contains the file **/opt/isymphony3/server/conf/security.xml**. This file contains the security settings for all servlets in the application.

10

11

12

You must restart the iSymphony server process in order for changes to the **security.xml** file to take effect.

== Servlets ==

Each servlet in the system has a specific function and enabling security on each one will secure a different piece of the application. Each servlet that can be restricted will have a relative **SecurityContext** in **security.xml**

18

19

=== communication_manager ===

20

21

Securing the **communication_manager** **SecurityContext** will restrict access to the REST API of the iSymphony Server.

22

23

24

Security is enabled by default on this servlet in order to prevent malicious use of the REST API.

=== client ===

Securing the **client SecurityContext** will restrict access to the iSymphony Client Interface.

30

31

=== administrator ===

32

33

Securing the **administrator SecurityContext** will restrict access to the iSymphony Administration Interface.

=== voicemail ===

Securing the **voicemail SecurityContext** will restrict access to the Voicemail Agent file server that allows playback of voicemail in the browser.

=== recording ===

Securing the **recording SecurityContext** will restrict access to the Recording Agent file server that allows playback of recordings in the browser.

== SSL Keystore ==

The **SSLKeystore** tag in **security.xml** allows you to define the keystore that contains the SSL certificate to use when SSL is enabled on a particular servlet. You must specify the **filename** of the keystore, **keystorePassword**, the **keyPassword**, and the **certAlias**.

46

47

48

Keystores must be placed on the top level of the **/opt/isymphony3/server/conf** directory.

49

50

51

=== Creating A Self Signed SSL Keystore ===

52

53

54

If you have SSL enabled on the **client** or **administrator** servlet and you are using a self singed certificate the browser will alert the user that they are accessing an unverified location when the attempt to access the iSymphony Client or Administration Interface. In order to prevent this warning you will need to acquire an SSL certificate from a valid authority that is recognized by the your JRE.

1. (((

The following method requires the Oracle JDK.

59

)))

60

1. (((

61

Run the following command to create your SSL keystore. (% style="line-height:1.4285715" %)Follow the prompts to finish creating the keystore.

62

63

64

keytool -keystore <filename> -alias <alias> -genkey -keyalg RSA -validity <number of days cert is valid>

)))

1. (((

Export the generated public key from the keystore by running the following command:

69

70

71

keytool -export -keystore <keystore file name from step2> -alias <alias> -file <filename>

)))

1. (((

Import the public key into the java truststore (cacerts) located in the java home directory:

76

77

78

keytool -import -alias <alias> -file <file from step 3> -keystore $JAVA_HOME/jre/lib/security/cacerts

79

80

81

The default password for the cacerts truststore is: "changeit". For more information on the keytool please see the Oracle documentation :

82

[[https:~~/~~/docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html>>url:https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html||shape="rect"]]

The password and the default access permission of the cacerts truststore should have changed upon installing the SDK. If this was not done already it should be done __**as the LAST STEP of this process**__.

)))

=== Creating a Keystore with Let's Encrypt ===

93

94

95

This section is a work in progress and will be updated.

96

97

98

==== Creating a Keystore with The Let's Encrypt module for FreePBX ====

99

100

FreePBX automates the process for obtaining a Let'sEncrypt certificate and utilizes it's own directory structure and file names to place the resulting files (The Certificate, any intermediate Certificate Authority chain and private key) on the filesystem.

101

102

First, we must compile and convert the resulting LE certificate chain and private key to PKCS12 format utilizing the OpenSSL binaries:

103

104

105

openssl pkcs12 -export -in /etc/asterisk/keys/<HOSTNAME>/fullchain.pem -inkey /etc/asterisk/keys/<HOSTNAME>/private.pem -name isymphony -out isymphony.pkcs12

Ensure you change the <HOSTNAME> placeholder above to reference the directory name that was created as part of the FreePBX certificate acquisition process.

110

111

112

You can choose the name you would like for the certificate alias and resulting pkcs12 keystore file name (-name and -out parameters). The above is only an example, though works without issue, so feel free to use it if appropriate.

113

114

The OpenSSL command will ask you for a password for the exported keystore. Be sure to set one as it is required and empty string passwords are not valid for this process. For this example, we used the password "isymphony".

115

116

Then, you just import the resulting pkcs12 keystore into a newly created Java Keystore supplying the appropriate parameters and set the destination store password and key password:

117

118

119

keytool -importkeystore -deststorepass isymphony -destkeypass isymphony -destkeystore isymphony.jks -srckeystore isymphony.pkcs12 -srcstoretype PKCS12 -alias isymphony

120

121

122

And your new java keystore will be in the resulting file: ./isymphony.jks file.

123

124

This file should be copied into the top level directory of your **/opt/isymphony3/server/conf** (or appropriate installation directory for iSymphony) directory.

125

126

== Make iSymphony Aware of the SSLKeystore ==

127

128

Modify /opt/isymphony3/server/conf/security.xml to make iSymphony aware of the keystore by modifying the SSLKeystore XML element with the appropriate values:

Then enabling SSL on each context you would like to utilize SSL (More on this below) and restarting the iSymphonyServerV3 service should complete the configuration.

135

136

== Enabling And Disabling Security Context ==

137

138

You can enable and disable entire **Security Contexts** by setting the **enabled** attribute to **true** or **false** in the **SecurityContext** tag in the **/opt/isymphony3/server/conf/security.xml** file. A disabled **Security Context** will apply no restrictions to the servlet despite any of the inner settings.

(((

== SSL ==

)))

You can enable and disable **SSL** communication encryption on a specific **Security Context** by setting the **enabled** attribute in the **SSL** tag to **true** or **false**.

145

146

147

If enabling SSL on the communication_manager servlet and you are using the iSymphony FreePBX module you must modify the module settings to use SSL. See [[doc:FreePBX Module Administration]] for more information.

(((

== Realm Authentication ==

152

)))

153

154

You can enable or disable HTTP realm authentication on a specific **Security Context** by setting the **enabled** attribute in the **RealmAuth** tag to **true** or **false**. You can add a new HTTP realm authentication user by adding a **RealmAuthUser** tag to the **RealmAuthUsers**. You can specify the user's credentials by populating the **username** and **password** attributes of the **RealmAuthUser** tag.

(((

== IP Access ==

)))

You can enable IP access on a specific **Security Context** by setting the **enabled** attribute on the **IPAccess** tag to **true** or **false**. The **IPAccess** restriction will allow or deny connections from specific IP addresses based on the contents of the **WhiteList** and **BlackList** in the **IPAccess** tag.

(((

=== Behavior ===

)))

1. IPs that are specified in the **WhiteList** will always be allowed to access the system unless the IP is specified in the **BlackList** as well.

167

1. IPs that are specified in the **BlackList** will never be allowed to access the system.

168

1. If no entries are specified in the **WhiteList** or **BlackList** all IPs will have access to the servlet.

169

1. If entries exist in the **WhiteList** but not in the **BlackList** only the IPs specified in the **WhiteList** will have access to the servlet.

170

171

172

Both IPv4 and IPv6 IPs can be specified the the IP Access lists.

The IP Access lists support **CIDR** formatting (e.g. 192.168.1.0/24)

177

Wiki source code of Security

Search

Navigation

author	version	line-number	content
		1	//On this page~://
		2
		3	{{toc/}}
		4
		5	iSymphony opens several ports for communication with the outside world. These ports include the Web Ports used by the server to provide both the Administration and Client web interfaces, the REST API and Voicemail and Recording Agent file servers. The iSymphony server is broken up into several subsections call servlets. Each servlet can have several layers of security activated on them in order to prevent unauthorized access and man in the middle attacks.
		6
		7	= Securing Servlets =
		8
		9	Your iSymphony install contains the file /opt/isymphony3/server/conf/security.xml. This file contains the security settings for all servlets in the application.
		10
		11	{{info}}
		12	You must restart the iSymphony server process in order for changes to the security.xml file to take effect.
		13	{{/info}}
		14
		15	== Servlets ==
		16
		17	Each servlet in the system has a specific function and enabling security on each one will secure a different piece of the application. Each servlet that can be restricted will have a relative SecurityContext in security.xml
		18
		19	=== communication_manager ===
		20
		21	Securing the communication_manager SecurityContext will restrict access to the REST API of the iSymphony Server.
		22
		23	{{info}}
		24	Security is enabled by default on this servlet in order to prevent malicious use of the REST API.
		25	{{/info}}
		26
		27	=== client ===
		28
		29	Securing the client SecurityContext will restrict access to the iSymphony Client Interface.
		30
		31	=== administrator ===
		32
		33	Securing the administrator SecurityContext will restrict access to the iSymphony Administration Interface.
		34
		35	=== voicemail ===
		36
		37	Securing the voicemail SecurityContext will restrict access to the Voicemail Agent file server that allows playback of voicemail in the browser.
		38
		39	=== recording ===
		40
		41	Securing the recording SecurityContext will restrict access to the Recording Agent file server that allows playback of recordings in the browser.
		42
		43	== SSL Keystore ==
		44
		45	The SSLKeystore tag in security.xml allows you to define the keystore that contains the SSL certificate to use when SSL is enabled on a particular servlet. You must specify the filename of the keystore, keystorePassword, the keyPassword, and the certAlias.
		46
		47	{{info}}
		48	Keystores must be placed on the top level of the /opt/isymphony3/server/conf directory.
		49	{{/info}}
		50
		51	=== Creating A Self Signed SSL Keystore ===
		52
		53	{{note}}
		54	If you have SSL enabled on the client or administrator servlet and you are using a self singed certificate the browser will alert the user that they are accessing an unverified location when the attempt to access the iSymphony Client or Administration Interface. In order to prevent this warning you will need to acquire an SSL certificate from a valid authority that is recognized by the your JRE.
		55	{{/note}}
		56
		57	1. (((
		58	The following method requires the Oracle JDK.
		59	)))
		60	1. (((
		61	Run the following command to create your SSL keystore. (% style="line-height:1.4285715" %)Follow the prompts to finish creating the keystore.
		62
		63	{{code language="bash"}}
		64	keytool -keystore <filename> -alias <alias> -genkey -keyalg RSA -validity <number of days cert is valid>
		65	{{/code}}
		66	)))
		67	1. (((
		68	Export the generated public key from the keystore by running the following command:
		69
		70	{{code}}
		71	keytool -export -keystore <keystore file name from step2> -alias <alias> -file <filename>
		72	{{/code}}
		73	)))
		74	1. (((
		75	Import the public key into the java truststore (cacerts) located in the java home directory:
		76
		77	{{code}}
		78	keytool -import -alias <alias> -file <file from step 3> -keystore $JAVA_HOME/jre/lib/security/cacerts
		79	{{/code}}
		80
		81	The default password for the cacerts truststore is: "changeit". For more information on the keytool please see the Oracle documentation :
		82	[[https:~~/~~/docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html>>url:https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html\|\|shape="rect"]]
		83
		84
		85	{{warning}}
		86	{{id name="cacerts"/}}
		87
		88	The password and the default access permission of the cacerts truststore should have changed upon installing the SDK. If this was not done already it should be done __as the LAST STEP of this process__.
		89	{{/warning}}
		90	)))
		91
		92	=== Creating a Keystore with Let's Encrypt ===
		93
		94	{{note}}
		95	This section is a work in progress and will be updated.
		96	{{/note}}
		97
		98	==== Creating a Keystore with The Let's Encrypt module for FreePBX ====
		99
		100	FreePBX automates the process for obtaining a Let'sEncrypt certificate and utilizes it's own directory structure and file names to place the resulting files (The Certificate, any intermediate Certificate Authority chain and private key) on the filesystem.
		101
		102	First, we must compile and convert the resulting LE certificate chain and private key to PKCS12 format utilizing the OpenSSL binaries:
		103
		104	{{code}}
		105	openssl pkcs12 -export -in /etc/asterisk/keys/<HOSTNAME>/fullchain.pem -inkey /etc/asterisk/keys/<HOSTNAME>/private.pem -name isymphony -out isymphony.pkcs12
		106	{{/code}}
		107
		108	{{note}}
		109	Ensure you change the <HOSTNAME> placeholder above to reference the directory name that was created as part of the FreePBX certificate acquisition process.
		110	{{/note}}
		111
		112	You can choose the name you would like for the certificate alias and resulting pkcs12 keystore file name (-name and -out parameters). The above is only an example, though works without issue, so feel free to use it if appropriate.
		113
		114	The OpenSSL command will ask you for a password for the exported keystore. Be sure to set one as it is required and empty string passwords are not valid for this process. For this example, we used the password "isymphony".
		115
		116	Then, you just import the resulting pkcs12 keystore into a newly created Java Keystore supplying the appropriate parameters and set the destination store password and key password:
		117
		118	{{code}}
		119	keytool -importkeystore -deststorepass isymphony -destkeypass isymphony -destkeystore isymphony.jks -srckeystore isymphony.pkcs12 -srcstoretype PKCS12 -alias isymphony
		120	{{/code}}
		121
		122	And your new java keystore will be in the resulting file: ./isymphony.jks file.
		123
		124	This file should be copied into the top level directory of your /opt/isymphony3/server/conf (or appropriate installation directory for iSymphony) directory.
		125
		126	== Make iSymphony Aware of the SSLKeystore ==
		127
		128	Modify /opt/isymphony3/server/conf/security.xml to make iSymphony aware of the keystore by modifying the SSLKeystore XML element with the appropriate values:
		129
		130	{{code}}
		131	<SSLKeystore filename="isymphony.jks" keystorePassword="isymphony" keyPassword="isymphony" certAlias="isymphony" ></SSLKeystore>
		132	{{/code}}
		133
		134	Then enabling SSL on each context you would like to utilize SSL (More on this below) and restarting the iSymphonyServerV3 service should complete the configuration.
		135
		136	== Enabling And Disabling Security Context ==
		137
		138	You can enable and disable entire Security Contexts by setting the enabled attribute to true or false in the SecurityContext tag in the /opt/isymphony3/server/conf/security.xml file. A disabled Security Context will apply no restrictions to the servlet despite any of the inner settings.
		139
		140	(((
		141	== SSL ==
		142	)))
		143
		144	You can enable and disable SSL communication encryption on a specific Security Context by setting the enabled attribute in the SSL tag to true or false.
		145
		146	{{info}}
		147	If enabling SSL on the communication_manager servlet and you are using the iSymphony FreePBX module you must modify the module settings to use SSL. See [[doc:FreePBX Module Administration]] for more information.
		148	{{/info}}
		149
		150	(((
		151	== Realm Authentication ==
		152	)))
		153
		154	You can enable or disable HTTP realm authentication on a specific Security Context by setting the enabled attribute in the RealmAuth tag to true or false. You can add a new HTTP realm authentication user by adding a RealmAuthUser tag to the RealmAuthUsers. You can specify the user's credentials by populating the username and password attributes of the RealmAuthUser tag.
		155
		156	(((
		157	== IP Access ==
		158	)))
		159
		160	You can enable IP access on a specific Security Context by setting the enabled attribute on the IPAccess tag to true or false. The IPAccess restriction will allow or deny connections from specific IP addresses based on the contents of the WhiteList and BlackList in the IPAccess tag.
		161
		162	(((
		163	=== Behavior ===
		164	)))
		165
		166	1. IPs that are specified in the WhiteList will always be allowed to access the system unless the IP is specified in the BlackList as well.
		167	1. IPs that are specified in the BlackList will never be allowed to access the system.
		168	1. If no entries are specified in the WhiteList or BlackList all IPs will have access to the servlet.
		169	1. If entries exist in the WhiteList but not in the BlackList only the IPs specified in the WhiteList will have access to the servlet.
		170
		171	{{info}}
		172	Both IPv4 and IPv6 IPs can be specified the the IP Access lists.
		173	{{/info}}
		174
		175	{{info}}
		176	The IP Access lists support CIDR formatting (e.g. 192.168.1.0/24)
		177	{{/info}}