Permissions

Some important guidelines and recommendations related to granting permissions in Sterling B2B Integrator are given below.

For the purpose of examples in this topic, note the following:
  • install_dir is the directory where Sterling B2B Integrator is installed.
  • user_install is the application owner user name used to install, patch, and configure Sterling B2B Integrator.
  • user_exec is the runtime user used to run the application and has group-level access to the installation.

Granting process permissions

  • All processes should be run as a non-root user. The user should only have write permissions to data directories, configuration files, and log directories.
  • If not using PID files, use the grep patterns in subsequent controls to identify the four processes.

    Commands and sample outputs for the .PID files are given below:

    ls *.pid
    activemq.pid  cmdline2.pid  noapp.pid  ops.pid
    cat cmdline2.pid
    4670
    ps -ef | grep 4670
    <user_install>     4670     1  0 Mar26 ? 
00:00:05 /install_dir/jdk/bin/java -Xms128m 
-Xmx512m -Dcom.ibm.jsse2.sp800-131=off -DcmdlineProps2=
/installdir/properties/CmdLine2server.properties -jar 
install_dir/client/cmdline2/CLA2Client.jar 51152
<user_install>    22740 20499  0 06:08 pts/2    
00:00:00 grep 4670

Defining user controls

  • Run time user can be different from the install user. This ensures that the binaries are protected from unauthorized changes at runtime.
  • Take due care while giving appropriate write permissions. There are some directories and files where runtime write access is required. Some deployment specific functionality may dynamically create or delete file system trees or files. When deployment-specific value-added processing is introduced to the system, you must evaluate the logic to ensure basic security rules are followed.
  • Setting appropriate permissions:
    By default, only the application owner is given permissions to read/write on all files and directories.
    chmod -R u=rw,g=r,o= install_dir
    Granting permissions to users and groups to access directories.
    chmod -R ug+X install_dir
    Granting permissions to users and groups to write files to the application root. (PID files and dump files are generated here). 
    chmod -R g+w install_dir
    Allowing owner to execute all scripts.
    find /install_dir/ -name ""*.sh"" 
-exec chmod u+x {} \;
    Adding execution permissions to the binaries/scripts
    chmod -R ug+x install_dir/bin/*sh
chmod -R ug+x install_dir/noapp/bin/*sh
chmod -R ug+x install_dir/jdk/bin
chmod -R ug+x install_dir/jdk/jre/bin
chmod -R g+w install_dir/tmp/*
    Granting write access to properties that are modified through the Sterling B2B Integrator UI.
    chmod -R g+w install_dir/properties/tuning.*
    Creating empty system_overrides.properties if it does not already exist.
    touch -a install_dir/
properties/system_overrides
chmod -R g+w install_dir/
properties/system_overrides.properties
chmod -R g+w install_dir/
properties/tuning.properties
chmod -R g+w install_dir/
properties/tuningPreviousSettings.properties
    Granting write access to logs
    chmod -R g+w install_dir/logs
    Granting write access to dump files
    chmod g+w install_dir/noapp/bin
    Moving the default locations for data to a location outside the Sterling B2B Integrator install_dir directory (Recommended)
    chmod -R g+w install_dir/arc_data
chmod -R g+w install_dir/documents
chmod -R g+w install_dir/ediinbound
chmod -R g+w install_dir/edioutbound
chmod -R g+w install_dir/

Running Sterling B2B Integrator as a Windows service

In a Windows environment, Sterling B2B Integrator installs and runs as a Windows service. By default, it runs as the local system user. This should be changed to a dedicated Active Directory user account.

Identifying core processes
  • There are 4 core processes that need to be running for Sterling B2B Integrator to function correctly, namely, NoAppServer, OpsServer, EventListeners, and ActiveMQ. These processes should all be running as user_exec (runtime user), except during installation, upgrade, and patching.
  • You must ensure that these core processes are running as the expected user (user_exec or the runtime user) and use it to identify the installation path.
  • The installation location for these processes should be the same. If the locations are different, then the processes will be considered to be of different installations as it is valid to have multiple installations on a single physical server.
  • NoAppServer 
    ps -ef |grep "java " | grep "NoAppServer" | grep -Eo 
"\-classpath.*bootstrapper.jar]*"

    The installation directory that install_dir points to here should match that of NoAppServer. If different, it is potentially a different installation on the same server.

  • OpsServer
    $ ps -ef |grep "java " | grep "com.sterlingcommerce.
woodstock.ops.server.OpsServer" | grep -Eo "\-classpath.
*bootstrapper.jar]*"

    Here, the path before /jar/bootstrapper.jar is the install location.

  • Event Listeners
    "$  ps -ef | grep ""java "" | grep -Eo ""jar.*RunClient.jar""
jar /install_dir/client/runclient/RunClient.jar

    The installation directory identified here should match that of NoAppServer. If different, it is potentially a different installation on the same server.

  • ActiveMQ
    "$ ps -ef | grep ""java "" | grep com.sterlingcommerce.
jms.activemq.SCIBrokerFactory| grep -Eo ""\-classpath.
*bootstrapper.jar]*"" 
-classpath /install_dir/jar/bootstrapper.jar

    The installation directory identified here should match that of NoAppServer. If different, it is potentially a different installation on the same server.

Setting process arguments
  • Ensure that all process arguments (paths) point to locations within the application directory.
  • NoAppServer
    The key paths in the process arguments should be as given below: 
    install_dir/jdk/bin/java 
-Djava.io.tmpdir=install_dir/tmp
-DvendorFile=install_dir/properties/servers.properties
-classpath install_dir/jar/bootstrapper.jar
-f install_dir/properties/dynamicclasspath.cfg
    Example:
    ps -ef | grep ""java "" | 
grep ""NoAppServer""
    install_dir/jdk/bin/java -d64 
-Xhealthcenter:port=10004 -Xms960m -Xmx1920m 
-Djava.net.preferIPv4Stack=true 
-Xmns320m -Xmnx640m -Xjit:exclude=
{com/yantra/yfc/dom/YFCElement.getChildren*:
com/yantra/tools/xsdgen/FileLoaderTree.findDeps*},
count=1000 -Xgcpolicy:gencon 
-Xss256k -Djava.awt.headless=true 
-Dorg.apache.xml.dtm.DTMManager=
org.apache.xml.dtm.ref.DTMManagerDefault 
-Djsse.enableCBCProtection=true 
-Xdump:heap:none -Xdump:heap:events=
systhrow,filter=java/lang/OutOfMemoryError,range=1..4 
-Xdump:heap:events=gpf+user -Djava.io.tmpdir=
/opt/ibm/sfg52/tmp 
-XX:CompileCommandFile=.hotspot_compiler -d64 
-Dssh.maxWindowSpace=4194304 
-Dcom.certicom.tls.record.maximumPaddingLength=0 
-Dsun.rmi.dgc.server.gcInterval=900000 
-Dsun.rmi.dgc.client.gcInterval=900000 
-Djava.net.preferIPv4Stack=true 
-Dorg.mortbay.jetty.servlet.AbstractSessionManager.
24SessionDestroyed=true 
-Dvendor=noapp -DvendorFile=/opt/ibm/sfg52/properties/
servers.properties 
-classpath /opt/ibm/sfg52/jar/bootstrapper.jar com.
sterlingcommerce.woodstock.noapp.NoAppLoader 
-verbose -class com.sterlingcommerce.woodstock.
noapp.NoAppServer 
-f /opt/ibm/sfg52/properties/dynamicclasspath.cfg
  • OpsServer
    The key paths in the process arguments should be as shown below: 
    install_dir/jdk/bin/java
-Djava.io.tmpdir=install_dir/tmp
install_dir/jar/bootstrapper.jar
-DvendorFile=install_dir/properties/opsvendor.properties
install_dir/properties/dynamicclasspath.cfg
    Example: 
    ps -ef | grep "java " |  grep "com.sterlingcommerce.
woodstock.ops.server.OpsServer”
    /sfg       5408  5358  2 
13:48 pts/0    00:00:04 install_dir/jdk/bin/java -d64 
-Djava.io.tmpdir=install_dir/tmp 
-XX:CompileCommandFile=.hotspot_compiler -d64 
-Dssh.maxWindowSpace=4194304 
-Dcom.certicom.tls.record.maximumPaddingLength=0 
-Dsun.rmi.dgc.server.gcInterval=900000 
-Dsun.rmi.dgc.client.gcInterval=900000 -Xms64m -Xmx512m 
-classpath install_dir/jar/bootstrapper.jar -Dvendor=ops 
-DvendorFile=install_dir/properties/opsvendor.properties 
com.sterlingcommerce.woodstock.noapp.NoAppLoader -class 
com.sterlingcommerce.woodstock.ops.server.OpsServer 
-f install_dir/properties/dynamicclasspath.cfg 
-invokeargs 10027 opsserver.txt
  • Listeners
    The key paths in the process arguments should be as given below: 
    install_dir/jdk/bin/java
$install_dir/client/runclient/RunClient.jar
$install_dir/properties/startlisteners.properties
    Example:
    ps -ef | grep "java " | grep RunClient.jar
    install_dir/jdk/bin/java -Xms128m -Xmx512m 
-Dorg.apache.commons.logging.Log=com.sterlingcommerce.
woodstock.bi.util.BILogger -jar 
install_dir/client/runclient/RunClient.jar 
install_dir/properties/startlisteners.properties
  • ActiveMQ
    The key paths in the process arguments should be as given below:
    /install_dir/jdk/bin/java
-Djava.io.tmpdir=install_dir/tmp
-DvendorFile=install_dir/properties/servers.properties
-Dactivemq.base=install_dir/activemq
-Djava.security.auth.login.config=install_dir/activemq/
conf/login.conf
-classpath install_dir/jar/bootstrapper.jar 
-f install_dir/properties/ACTIVEMQDynamicclasspath.cfg 
-invokeargs install_dir/activemq/conf/activemqconfig.xmlConfig:
    Example:
    ps -ef | grep "java " | grep activemq
    
"install_dir/jdk/bin/java -d64 
-Djava.io.tmpdir=install_dir/tmp -XX:CompileCommandFile=
.hotspot_compiler -d64 
-Dssh.maxWindowSpace=4194304 -Dcom.certicom.tls.record.
maximumPaddingLength=0 
-Dsun.rmi.dgc.server.gcInterval=900000 -Dsun.rmi.dgc.
client.gcInterval=900000 
-Xms512m -Xmx512m 
-Dvendor=shell -DvendorFile=install_dir/
properties/servers.properties 
-Dactivemq.base=install_dir/activemq 
-Djava.security.auth.login.config=install_dir/
activemq/conf/login.conf 
-classpath /install_dir/jar/bootstrapper.jar 
com.sterlingcommerce.woodstock.noapp.NoAppLoader 
-f install_dir/properties/ACTIVEMQDynamicclasspath.cfg -class 
com.sterlingcommerce.jms.activemq.SCIBrokerFactory -invokeargs 
install_dir/activemq/conf/activemqconfig.xml activemq.txt"

Granting permissions

dynamicclasspath.cfg file
  • The install_dir/properties/dynamicclasspath.cfg file lists all jar (binary) files that are loaded when the application (Noapps/Opsserver) starts.
  • The file permissions for dynamicclasspath.cfg should be set to 640 to ensure that the file is not modified than during patch or upgrade installations.
  • Example: expr `stat -c %a install_dir/properties/dynamicclasspath.cfg` == '640'
ACTIVEMQDynamicclasspath.cfg file
  • The install_dir/properties/ACTIVEMQDynamicclasspath.cfg file lists all jar (binary) files that are loaded when the application (activemq ) starts.
  • The file permissions for ACTIVEMQDynamicclasspath.cfg should be set to 640 to ensure that the file is not modified than during patch or upgrade installations.
  • Example: expr `stat -c %a install_dir/properties/ACTIVEMQDynamicclasspath.cfg` == '640'
.in files
  • If there are access controls set for a file, the same controls must be set for its corresponding .in file as well if it exists. For example, install_dir/properties/dynamicclasspath.cfg must be writable only by the application owner. Hence, the dynamicclasspath.cfg.in file must also have the same file permissions.
Binary files
  • Binaries should be secured with READ only access. During patch or upgrade installations, write permissions might be required to delete or replace them with newer versions.
  • Binaries used at runtime are specified in the dynamicclasspath.cfg, ACTIVEMQDynamicclasspath.cfg and startlisteners.properties files. All the jar files listed should be only readable by the runtime user (user_exec).
  • Each VENDOR_JAR file listed in either install_dir/properties/dynamicclasspath.cfg or install_dir/properties/ACTIVEMQDynamicclasspath.cfg should have file permissions == 660.
  • The following command lists all the jars in these two files: 
    cat install_dir/properties/dynamicclasspath.cfg 
install_dir/properties/ACTIVEMQDynamicclasspath.cfg 
install_dir/properties/startlisteners.properties 
install_dir/properties/startlisteners.properties*ext 
| grep JAR | sort | uniq | grep -Eo "/.*"
property files
  • Property files are first generated during the installation in the install_dir/properties (UNIX/Linux) directory or the install_dir\properties (Windows) directory and are usually named as filename.properties. Some files have other suffixes including .xml, .xsl, .cfg, and .ini.
  • Five different kinds of property files exist in Sterling B2B Integrator: *.properties, *.properties*_ext, *.properties.in, *.properties*_ext.in, and customer_overrides.properties.
  • Only the application owner should have write access to the properties file.
  • Operators who need to modify the properties file should request the application user to make the changes.
  • The following files should have file permissions set to 640: *.properties, * _ext, *.cfg, *.xml, *.in
  • The following files, which can be changed during runtime by the application via configuration changes made through the UI, should have file permissions set to 640: 
    install_dir/properties/tuning.*
install_dir/properties/system_overrides.properties
install_dir/properties/tuning.properties
install_dir/properties/tuningPreviousSettings.properties
  • Related documentation: Working with Property Files
opsvendor.properties
  • The install_dir/properties/opsvendor.properties file contains the locations of the MAPPED property files used by the OpsServer. All properties listed in this file should be writable only by the application owner.
  • cd install_dir/properties
  • $ ls -1 
opsvendor.properties*
    opsvendor.properties
opsvendor.properties_b2b_base_ext 
opsvendor.properties_b2b_base_ext.in 
opsvendor.properties.in 
opsvendor.properties_platform_activemq_ext 
opsvendor.properties_platform_activemq_ext.in 
opsvendor.properties_platform_ifcresources_ext 
opsvendor.properties_platform_ifcresources_ext.in
startlisteners.properties
  • The install_dir/properties/startlisteners.properties file is similar to dynamicclasspath.cfg and contains a list of jars (binaries) that are loaded during the execution of the runtime processes. This file should not be modified outside of maintenance activities.
  • The startlisteners.properties.* files should be writable only by the application owner and group permissions allow only read access.
  • The files listed below should have file permissions set to 640.
    $ ls -1 install_dir/properties/startlisteners.properties*
    startlisteners.properties
startlisteners.properties.in
startlisteners.properties_asset_ext
startlisteners.properties_asset_ext.in
startlisteners.properties_b2b_ext
startlisteners.properties_b2b_ext.in
startlisteners.properties_einvoicing_ext
startlisteners.properties_einvoicing_ext.in
startlisteners.properties_gis_ext
startlisteners.properties_gis_ext.in
startlisteners.properties_standards_ext
startlisteners.properties_standards_ext.in
Backup directories
  • Any directory named backup should be accessible only to the application owner.
  • Whenever the install_dir/bin/setupfiles.sh or install_dir\install\bin\setupfiles.cmd script is executed, new copies of all properties are generated.

Enabling CLA2Client.jar

  • Verify if the LAUNCH_CLA2_SERVER=true parameter is available in the sandbox.cfg file. If present, the CLA2 server will be started on the local server when Sterling B2B Integrator starts.
    grep LAUNCH_CLA2_SERVER install_dir/
install/properties/sandbox.cfg
    LAUNCH_CLA2_SERVER=true
  • Related documentation: Command Line Adapter 2 Upgrade Impacts (5.2.4.1_2 or higher)

Using ActiveMQ

activeMQ login.conf
  • The install_dir/activemq/conf/login.conf file defines the ActiveMQ authentication module and the location of the uiaccess.properties file.
  • Ensure that the file permissions for login.conf is set to 640 and the referenced file matches the example below:
    $ cat install_dir/activemq/conf/login.conf
adminLoginModule {
        org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule 
        required
        debug="true"
        file="install_dir/activemq/conf/uiaccess.properties";
      };
Accessing the ActiveMQ user interface (uiaccess.properties)
  • The ActiveMQ Admin UI is disabled by default. To enable it, see ActiveMQ Modularization.
  • If ActiveMQ Admin UI enabled, users are configured in the install_dir/activemq/conf/uiaccess.properties property file. This file lists the users who can access the ActiveMQ Admin UI and their passwords.
  • This file should be writable only to the application owner (user_install) and readable to the runtime users (user_exec). This file should have file permissions set to 640.
  • The default users and their passwords should be replaced with appropriate values.
  • All passwords should be hashed, indicated by the prefix 'MD5'.
  • Ensure that the uiaccess.properties file does not contain entries for the uiadmin and uiuser users.

activeMQ credentials.propertes

  • The install_dir/activemq/conf/credentials.properties and credentials.properties.in files contain the ActiveMQ server user name and password. These default user name and password should be replaced with appropriate values.
  • After changing the default values, the new values must be propagated to all other ActiveMQ configuration files. The username and password fields should not contain the default values.
    cat install_dir/credentials.properties
activemq.username=jmsadmin
activemq.password=password

Audit logging

  • Events are generated each time a resource is created, updated, or deleted. The events are stored in the ADMIN_AUDIT table.
  • This table should be writable only to the application's DB user and must not be writable to other database users.