Collaborator administrators need to be aware of several security issues and options which affect the overall security of the system. This section covers those issues.
Built-in Administrator Account
Each Collaborator server has a built-in administrator account – admin. By default, its password is admin. You must specify your own password for the built-in administrator account in the Users category of Collaborator settings.
File System Security
Collaborator relies on the underlying operating system as a foundation for overall system security. Several potentially sensitive items are stored in the local file system, including database credentials, LDAP credentials (if used), and file contents. Care should be taken to maintain system security of the server’s operating system, so this information is not compromised. SmartBear does not have any specific security expertise, so we recommend you follow the guidance from vendor of your operating system.
HTTP Transport Security
By default, the Collaborator server operates over regular HTTP. This means that all communications between clients and servers are unencrypted on the wire. So, it is possible for someone with access to the network to use network sniffing tools to gather information from that traffic. Some things that are available over the wire are file contents, user conversations, and even authentication credentials (usernames and passwords). If wire-level security is a concern, administrators should configure the server to use secure http (HTTPS). Enabling HTTPS, also adds the Secure attribute to the browsers session cookies, that is, they can only be transmitted over an HTTPS connection.
Users Session Information Storage and Cookies
There are two cookies that store user login and session information (CodeCollaboratorLogin and CodeCollaboratorTicketId respectively). The expiration date of the session cookies is so far in the future that they will never expire, but there is a server setting that overrides that expiration date and controls the length of time that the session is valid. This setting is called Login Ticket Time-To-Live and can be configured by the Collaborator admin. This setting is not an idle timeout – it is an absolute time the ticket will remain valid after it is created.
The application server-managed session cookie, JSESSIONID, is only valid during the session and it is used to identify the session, but it does not contain any user information. We also store some WebUI preferences locally, but that data also does not contain any user information.
All session cookies have the HTTPOnly attribute set, which means that these cookies can only be used by web browsers, and cannot be accessible via scripts or by other means.
Obfuscate Database Passwords
Some environments dictate that sensitive passwords stored in configuration files be obfuscated. In the case of Collaborator, this most commonly occurs in conjunction with the database connection information stored in <Collaborator Server>/tomcat/conf/Catalina/localhost/ROOT.xml.
Starting from Collaborator 8.4.8403, obfuscating the database password has preliminary support as a post-install operation. Three forms of obfuscation are supported: base64-encoding, base64-encoded AES 128 bit and base64-encoded AES 256 bit. AES obfuscation uses ECB mode with a fixed key and PKCS#5 padding.
Of the three forms, base64-encoding is the recommended process, if sufficient, as it is simpler.
| Note: |
To use the AES-256 bit obfuscation, additional files are required. |
Due to the import restrictions of some countries, Java SE have built-in restrictions on available cryptographic strength. Cryptographic strength can be configured via jurisdiction policy files that can be downloaded separately. In order to use AES-256 bit obfuscation, you will need to download and install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle web site: Java Cryptography Extension for JRE 7 and Java Cryptography Extension For JRE 8.
Base64 obfuscation
Base64 obfuscationBase64 obfuscation
-
Stop your Collaborator server instance. See Platform-Specific Notes for instructions for Windows, Linux, Solaris, and BSD platforms.
-
Open the <Collaborator Server>/tomcat/conf/Catalina/localhost/ROOT.xml in your preferred text editor.
-
Locate the <Resource ... /> XML tag. This tag declares the database configuration of your Collaborator server.
-
Append the factory attribute to the Resource tag.
<Resource ... factory="com.smartbear.ccollab.CollaboratorBasicDataSourceFactory"/>
-
Using the tool of your choice, generate a base64-encoded version of your database password (as found in the password attribute of the Resource tag). There are many base64-capable tools and online encoder-decoder interfaces. Use a web search for base64 encode.
-
Add the following characters before the encoded string: $1$. This indicates to Collaborator that you are using the plain base64-encoding. For example, the testpass password would become $1$dGVzdHBhc3M=.
-
Replace the value of the existing password attribute with the string composed in the prior step. The Resource tag will look as follows:
<Resource ... password="$1$dGVzdHBhc3M=" factory="com.smartbear.ccollab.CollaboratorBasicDataSourceFactory"/>
-
Save the ROOT.xml file.
-
Restart your Collaborator server instance. The server should come up without issue with the obfuscated password.
AES-128 obfuscation
AES-128 obfuscationAES-128 obfuscation
| Note: |
base64 is recommended due to simplicity unless your environment absolutely requires this level of obfuscation. |
-
Stop your Collaborator server instance. See Platform-Specific Notes for instructions for Windows, Linux, Solaris, and BSD platforms.
-
Open the <Collaborator Server>/tomcat/conf/Catalina/localhost/ROOT.xml file in your chosen text editor.
-
Locate the <Resource ... /> XML tag. This tag declares the database configuration of your Collaborator server.
-
Append the factory attribute to the Resource tag:
<Resource ... factory="com.smartbear.ccollab.CollaboratorBasicDataSourceFactory"/>
-
Using the command line interface, in the <Collaborator Server>/tomcat directory of your Collaborator instance, execute the following command line:
java -cp webapps/ROOT/WEB-INF/classes:webapps/ROOT/WEB-INF/lib/*:lib/tomcat-dbcp.jar:bin/tomcat-juli.jar com.smartbear.ccollab.CollaboratorBasicDataSourceFactory
| Note: |
On Windows platforms, replace : in the command above with ;. |
-
Enter your password when prompted and specify the encoding format as aes128. The program will then output the encoded string, which has a prefix of $2$ to indicate that AES-128 obfuscation is being used. For example, the pre-obfuscation password testpass would become $2$Nobujw9X9ZJsSOYapNZh+w==.
-
Replace the value of the existing password attribute with the string composed in the prior step. The Resource tag will look as follows:
<Resource ... password="$2$Nobujw9X9ZJsSOYapNZh+w==" factory="com.smartbear.ccollab.CollaboratorBasicDataSourceFactory"/>
-
Save the ROOT.xml file.
-
Restart your Collaborator server instance. The server should come up without issues with the obfuscated password.
AES-256 obfuscation
AES-256 obfuscationAES-256 obfuscation
| Note: |
base64 is recommended due to simplicity unless your environment absolutely requires this level of obfuscation. |
-
To enable AES-256 encryption you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. They can be downloaded from the Oracle website: Java Cryptography Extension for JRE 7 and Java Cryptography Extension For JRE 8.
Download and install the JCE package as described in the readme.txt file shipped within the downloaded archive.
-
Stop your Collaborator server instance. See Platform-Specific Notes for instructions for Windows, Linux, Solaris, and BSD platforms.
-
Open the <Collaborator Server>/tomcat/conf/Catalina/localhost/ROOT.xml file in your chosen text editor.
-
Locate the <Resource ... /> XML tag. This tag declares the database configuration of your Collaborator server.
-
Append the factory attribute to the Resource tag:
<Resource ... factory="com.smartbear.ccollab.CollaboratorBasicDataSourceFactory"/>
-
Using the command line interface, in the <Collaborator Server>/tomcat/ directory of your Collaborator instance, execute the following command line:
java -cp webapps/ROOT/WEB-INF/classes:webapps/ROOT/WEB-INF/lib/*:lib/tomcat-dbcp.jar:bin/tomcat-juli.jar com.smartbear.ccollab.CollaboratorBasicDataSourceFactory
| Note: |
On Windows platforms, replace : in the command above with ;. |
-
Enter your password when prompted and specify the encoding format as aes256. The program will then output the encoded string, which has a prefix of $3$ to indicate that AES-256 obfuscation is being used. For example, the pre-obfuscation password testpass would become $3$w8MhPu6t7vobGeNvTx8RoA==.
-
Replace the value of the existing password attribute with the string composed in the prior step. The Resource tag will look as follows:
<Resource ... password="$3$w8MhPu6t7vobGeNvTx8RoA==" factory="com.smartbear.ccollab.CollaboratorBasicDataSourceFactory"/>
-
Save the ROOT.xml file.
-
Restart your Collaborator server instance. The server should come up without issues with the obfuscated password.
Obfuscate LDAP Passwords
Starting in Collaborator 8.5.8501, LDAP passwords may be obfuscated in a similar fashion to the database password above. Three forms of obfuscation are supported: base64-encoding, base64-encoded AES 128 bit, and base64-encoded AES 256 bit. AES obfuscation uses ECB mode with a fixed key and PKCS#5 padding.
Of the three forms, base64-encoding is the recommended process, if sufficient, as it is simpler.
| Note: |
To use AES-256 bit obfuscation, additional files are required. |
Due to the import restrictions of some countries, Java SE have built-in restrictions on available cryptographic strength. Cryptographic strength can be configured via jurisdiction policy files that can be downloaded separately. In order to use AES-256 bit obfuscation, you will need to download and install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from the Oracle web site: Java Cryptography Extension for JRE 7 and Java Cryptography Extension For JRE 8.
Base64 obfuscation
Base64 obfuscationBase64 obfuscation
-
Stop your Collaborator server instance. See Platform-Specific Notes for instructions for Windows, Linux, Solaris, and BSD platforms.
-
Open the <Collaborator Server>/tomcat/conf/Catalina/localhost/ROOT.xml file in your chosen text editor.
-
Locate the <Realm ... /> XML tag. This tag declares the LDAP (JNDI) authentication resource that Collaborator uses.
-
Change the className attribute of the Realm tag to com.smartbear.ccollab.auth.CollaboratorJNDIRealm.
<Realm ... className="com.smartbear.ccollab.auth.CollaboratorJNDIRealm"/>
-
Using the tool of your choice, generate a base64-encoded version of your database password (as found in the connectionPassword attribute of the Realm tag). There are many base64-capable tools and online encoder-decoder interfaces. Use a web search for base64 encode.
-
Add the following characters before the encoded string: $1$. This indicates to Collaborator that you are using the plain base64-encoding. For example, the testpass password would become $1$dGVzdHBhc3M=.
-
Replace the value of the existing connectionPassword attribute with the string composed in the prior step. The Realm tag will look as follows:
<Realm ... className="com.smartbear.ccollab.auth.CollaboratorJNDIRealm" connectionPassword="$1$dGVzdHBhc3M="/>
-
Save the ROOT.xml file.
-
Restart your Collaborator server instance. The server should come up without issue with the obfuscated password.
AES-128 obfuscation
AES-128 obfuscationAES-128 obfuscation
| Note: |
base64 is recommended due to simplicity unless your environment absolutely requires this level of obfuscation. |
-
Stop your Collaborator server instance. See Platform-Specific Notes for instructions for Windows, Linux, Solaris, and BSD platforms.
-
Open the <Collaborator Server>/tomcat/conf/Catalina/localhost/ROOT.xml file in your chosen text editor.
-
Locate the <Realm ... /> XML tag. This tag declares the LDAP (JNDI) authentication resource that Collaborator uses.
-
Change the className attribute of the Realm tag to com.smartbear.ccollab.auth.CollaboratorJNDIRealm.
<Realm ... className="com.smartbear.ccollab.auth.CollaboratorJNDIRealm"/>
-
Using the command line interface, in the <Collaborator Server>/tomcat/ directory of your Collaborator instance, execute the following command line:
java -cp webapps/ROOT/WEB-INF/classes:webapps/ROOT/WEB-INF/lib/*:lib/tomcat-dbcp.jar:bin/tomcat-juli.jar com.smartbear.ccollab.CollaboratorBasicDataSourceFactory
| Note: |
On Windows platforms, replace : in the command above with ;. |
-
Enter your password when prompted and specify the encoding format as aes128. The program will then output the encoded string, which has a prefix of $2$ to indicate that AES-128 obfuscation is being used. For example, the pre-obfuscation password testpass would become $2$Nobujw9X9ZJsSOYapNZh+w==.
-
Replace the value of the existing connectionPassword attribute with the string composed in the prior step. The Realm tag will as follows:
<Realm ... className="com.smartbear.ccollab.auth.CollaboratorJNDIRealm" connectionPassword="$2$Nobujw9X9ZJsSOYapNZh+w=="/>
-
Save the ROOT.xml file.
-
Restart your Collaborator server instance. The server should come up without issue with the obfuscated password.
AES-256 obfuscation
AES-256 obfuscationAES-256 obfuscation
| Note: |
base64 is recommended due to simplicity unless your environment absolutely requires this level of obfuscation. |
-
To enable AES-256 encryption you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. They can be downloaded from the Oracle website: Java Cryptography Extension for JRE 7 and Java Cryptography Extension For JRE 8.
Download and install the JCE package as described in the readme.txt file shipped within the downloaded archive.
-
Stop your Collaborator server instance. See Platform-Specific Notes for instructions for Windows, Linux, Solaris, and BSD platforms.
-
Open the <Collaborator Server>/tomcat/conf/Catalina/localhost/ROOT.xml file in your chosen text editor.
-
Locate the <Realm ... /> XML tag. This tag declares the LDAP (JNDI) authentication resource that Collaborator uses.
-
Change the className attribute of the Realm tag to com.smartbear.ccollab.auth.CollaboratorJNDIRealm.
<Realm ... className="com.smartbear.ccollab.auth.CollaboratorJNDIRealm"/>
-
Using the command line interface, in the <Collaborator Server>/tomcat/ directory of your Collaborator instance, execute the following command line:
java -cp webapps/ROOT/WEB-INF/classes:webapps/ROOT/WEB-INF/lib/*:lib/tomcat-dbcp.jar:bin/tomcat-juli.jar com.smartbear.ccollab.CollaboratorBasicDataSourceFactory
| Note: |
On Windows platforms, replace : in the command above with ;. |
-
Enter your password when prompted and specify the encoding format as aes256. The program will then output the encoded string, which has a prefix of $3$ to indicate that AES-256 obfuscation is being used. For example, the pre-obfuscation password testpass would become $3$w8MhPu6t7vobGeNvTx8RoA==.
-
Replace the value of the existing connectionPassword attribute with the string composed in the prior step. The Realm tag will as follows:
com.smartbear.ccollab.auth.CollaboratorJNDIRealm" connectionPassword="$3$w8MhPu6t7vobGeNvTx8RoA=="/>
-
Save the ROOT.xml file.
-
Restart your Collaborator server instance. The server should come up without issue with the obfuscated password.
See Also
Configure HTTPS
Platform-Specific Notes
Admin Tasks