Magic Collaboration Studio Teamwork Cloud consists of 2 Java-based services - Magic Collaboration Studio Teamwork Cloud (twcloud) and WebApp (webapp).

Magic Collaboration Studio Teamwork Cloud requires Java 11 17 (its location varies depending on how it was deployed), whereas Web Application Platform uses a bundled Java 17, located in <install_root>/WebAppPlatform/jre/.

Therefore, in order to harden these services, we must begin by hardening the JVM. The default settings for the JVM are located in java.security.

Expand

title	How to Check Protocols and Ciphers for a Specific Port

We can check the ciphers/protocols being used by the applications using nmap (version 7.x) or TestSSLServer.jar, available from https://community.rsa.com/docs/DOC-45511.

As an example, below is a scan using both tools against a default installation. In this example, we will be testing port 8111, the Magic Collaboration Studio Teamwork Cloud port.

Code Block

# nmap --script ssl-enum-ciphers -p 8111 127.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 17:32 MDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).

PORT     STATE SERVICE
8111/tcp open  unknown
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds

# java -jar TestSSLServer.jar 127.0.0.1 8111
Supported versions: TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.0
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  (TLSv1.1: idem)
  TLSv1.2
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA256
     DHE_RSA_WITH_AES_128_CBC_SHA256
     TLS_RSA_WITH_AES_128_GCM_SHA256
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
----------------------
Server certificate(s):
  a241e1c3b957bd14e6e0242fd012f75853eef243: CN=X.X.X.X
----------------------
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected

As can be observed above, the default configuration using OpenJDK 1.8.0_242 is allowing TLS v1.0 and v1.1, which are deprecated. Additionally, we can see that several key exchanges are taking place using dh1024.

We then proceed to harden the configuration.

Warning
Since we are dealing with ciphers, you need to make sure that you do not disable a cipher required by your certificates.

After hardening the VM, we end up with a different set of allowed ciphers and protocols, as shown below.

Code Block

# nmap --script ssl-enum-ciphers -p 8111 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-21 17:44 MDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).

PORT     STATE SERVICE
8111/tcp open  unknown
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds

# java -jar TestSSLServer.jar 127.0.0.1 8111
Supported versions: TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.2
     RSA_WITH_AES_128_CBC_SHA256
     TLS_RSA_WITH_AES_128_GCM_SHA256
----------------------
Server certificate(s):
  71ed3969e41a94877c51aacb87d995af4a12b6d9: CN=x.x.x.x
----------------------
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: protected
CRIME status: protected

The process of hardening the JVM requires making some changes to the java.security file. While these can be made directly, the downside is that if you upgrade your JVM, you will have to reapply your changes.

However, we can place our modifications in our own file, and simply pass a parameter to the JVM upon invocation so that it will apply our changes.

For example, we can create a file /home/twcloud/twc.java.security, and pass a parameter to the JVM in the form of -Djava.security.properties=/home/twcloud/twc.java.security.

Our hardened security settings are as shown below:

Code Block

title	twc.java.security

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, RSA keySize < 2048, SHA1, DHE, NULL
jdk.tls.ephemeralDHKeySize=2048
jdk.tls.rejectClientInitiatedRenegotiation=true

To apply these settings, we need to make changes to both the Magic Collaboration Studio Teamwork Cloud and Web App Platform services.

Magic Collaboration Studio Teamwork Cloud service
For Linux, edit <install_root>/TeamworkCloud/jvm.options and add a line as shown below:
Code Block
title jvm.options
. . -Dorg.jboss.netty.epollBugWorkaround=true -Dio.netty.epollBugWorkaround=true -Djava.security.properties=/home/twcloud/twc.java.security
For Windows, edit the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\TeamworkCloud\Parameters\Java\Options and append the setting pointing to your security overrides to the bottom of the settings.
Web App Platform service
For Linux, <install_root>/WebAppPlatform/bin/setenv.sh and add the directive to the JVM_OPTS variable as shown below:
Code Block
title setenv.sh
JVM_OPTS="-server -XX:+UseParallelGC -Xms4096M -Xmx8192M -Djava.security.properties=/home/twcloud/twc.java.security"
On Windows, you need to edit the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\WebApp\Parameters\Java\Options and append the setting pointing to your security overrides to the bottom of the settings.

JMX

By default, the Magic Collaboration Studio Teamwork Cloud service activates a JMX remote port to facilitate application monitoring. The default configuration does not contain any form of authentication.

On Linux, the configuration is located in <install_root>/jvm.options.

On Windows, it is located in registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\TeamworkCloud\Parameters\Java\Options.

Code Block
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=2468 -Dcom.sun.management.jmxremote.rmi.port=2468 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

Code Block

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=2468
-Dcom.sun.management.jmxremote.rmi.port=2468
-Dcom.sun.management.jmxremote.local.only=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

These settings can be removed, thereby removing JMX remote access.

If you would like to allow remote JMX access but require authentication, you can do so by adding settings. For complete documentation, please refer to the Java documentation.

As an example, the below configuration adds password authentication:

Code Block
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=2468 -Dcom.sun.management.jmxremote.rmi.port=2468 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/twcloud/jmx.password -Dcom.sun.management.jmxremote.access.file=/home/twcloud/jmx.access -Dcom.sun.management.jmxremote.ssl=false

Code Block

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=2468
-Dcom.sun.management.jmxremote.rmi.port=2468
-Dcom.sun.management.jmxremote.local.only=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/home/twcloud/jmx.password
-Dcom.sun.management.jmxremote.access.file=/home/twcloud/jmx.access
-Dcom.sun.management.jmxremote.ssl=false

As can be seen, we are pointing to a set of files (/home/twcloud/jmx.password and /home/twcloud/jmx.access) that control who can access these files.

The vulnerability vector is one whereby JMX could be exploited to execute code. To prevent this, we allow only an authenticated user (jmx.password) who has read-only rights (jmx.access).

Code Block

title	jmx.password

monitoring  DqzbksT4ET

Code Block

title	jmx.access

monitoring readonly

In this example, we created a user (monitoring) with a password (DqzbksT4ET), who can only read values via Remote JMX, but cannot write or execute anything via JMX.

Warning
The password and access files have a very stringent ownership requirement. They need to be owned by the user running the process and be accessible exclusively to that user. For example, in our default installation, the Magic Collaboration Studio Teamwork Cloud user is running the Magic Collaboration Studio Teamwork Cloud service. Therefore, the files need to be owned by Magic Collaboration Studio Teamwork Cloud and have full rights (rwx) by Magic Collaboration StudioTeamwork Cloud, and only Magic Collaboration StudioTeamwork Cloud. # ll jmx.* -rwx------. 1 twcloud twcloud 20 Mar 16 15:11 jmx.access -rwx------. 1 twcloud twcloud 26 Apr 21 10:41 jmx.password

Warning

The password and access files have a very stringent ownership requirement. They need to be owned by the user running the process and be accessible exclusively to that user.

For example, in our default installation, the Magic Collaboration Studio Teamwork Cloud user is running the Magic Collaboration Studio Teamwork Cloud service. Therefore, the files need to be owned by Magic Collaboration Studio Teamwork Cloud and have full rights (rwx) by Magic Collaboration StudioTeamwork Cloud, and only Magic Collaboration StudioTeamwork Cloud.

# ll jmx.*
-rwx------. 1 twcloud twcloud 20 Mar 16 15:11 jmx.access
-rwx------. 1 twcloud twcloud 26 Apr 21 10:41 jmx.password

Content

Space Tools

Breadcrumbs

Page History

Versions Compared

Old Version 2

New Version Current

Key

Protocols and Ciphers