Product Specific Recommendations
Vine Web /Extranet
Make Web Server Clean
- It is strongly recommended to have a separate dedicated computer for running Vine Web/Extranet.
- The web server should contain only the minimum needed software : a JSP-enabled web server (Apache Tomcat) and Vine Web/Extranet
- It is recommended that the webapps folder of a tomcat web server should have only the Extranet, Vine and Root folders. Uninstall all the web applications (remove their folders in the webapps folder) you do not need, such as "Host-manager", "manager" etc.
Secure user rights
- Tomcat should be running under the user having only the following minimum required rights:
- Right to start a service
- "Read" rights on the JRE folder
- "Full" rights to the following Tomcat folders: work, logs, temp, webapps\vineyard\plug-ins, webapps\vineyard\webplug-ins, webapps\vineyard\temp, webapps\vineyard\csv. Please note that you need to create the webapps\vineyard\temp, webapps\vineyard\csv folders first to assign the Tomcat user the full rights on these folsers.
- "Read" rights on all the rest inside Tomcat and webapps\vineyard and webapps\extranet
- Make sure that the tomcat service and tomcat administrative user's username and password are secure enough.
Supervise regularly
- Regularly review your webapps folder and Tomcat logs. Look for any strange folders in the webapps folder.
- Apache Tomcat should be updated regularly (monthly) to the latest version
Advanced settings
- Tomcat Realm security. If needed, you can additionally limit access to some Vine Web resources (URL patterns) by using Tomcat’s container managed security. Please refer to the Vine Administrator's guide for more information.
- Extranet Verification Security. The "verification" settings define the authentication login process. You normally do not need to change the cryptKey and cryptAlgorythm settings, but if you have a good reason to change those please contact the Vine development team.
About Extranet Automatic Login
Vine Extranet supports automatic login for example when the user clicks a link in an email sent by Vine Mail Wizard and automatically gets on a page with data from the Vine database.
Any link to a page publishing Vine database data is an URL which includes several parameters used in the authentication:
http://vine:8080/support2/verification/autologin.jsp?pe=300000046&cdate=15.12.2005_12:03:23&reqpage=EVENT_REG&ev=300006105&m=300006987&e=332446&cs=b876bb8f
- CHECKSUM. The checksum is calculated using a special algorithm based on the whole URL and it will not match the one calculated by Vine Extranet if something has been changed in the URL.
- Person Create Date. When Vine Mail Wizard generates the URL it includes the target person (the one it is sending email to) ID and "create date" in it. Vine Extranet verifies that information before showing the requested page. It is impossible to simultaneously match these two parameters without access to the Vine database.
- Expiration Date. A scrambled expiration date is also passed as a parameter to ensure the link not working after some time (two weeks).
Vine Application Server
Vine Application Server (VAS) communicates with its clients using the Secure Sockets Layer (SSL) protocol. VAS clients (such as Vine client for Windows, Vine Mobile Replication and other Vine tools) have a special Vine Application Client embedded which allows establishing a VAS connection after providing the proper Vine username/password combination.
Please note again that it is recommended to have Vine Web/Extranet installed on a separate computer, but if you absolutely have to run VAS on the same server with Vine Web/Extranet then please make sure that you only install the Oracle instant client there (no SQLPlus or other Oracle tools).
SSL Keys
VAS communicates with its clients using the Secure Sockets Layer (SSL) protocol. To establish an SSL encryption for a session, VAS sends the client its public key and then decrypts the answer with its private key. Using the public-private key pair the VAS server and client exchange a random key to encrypt the transmitted data.
The default private key is supplied with the VAS installer, but for even stronger security a specially generated private key should be used. Please note that you cannot encrypt the private key since VAS service is designed to start without any user interaction which would be otherwise needed to enter the passphrase.
It is ok to use a self-signed certificate since the current implementation relies on VAS client and server knowing each other and the real use of the certificate is reserved for the future.
Here you can find simple instructions how to use the openssl tool to generate the private key and the self signed public certificate:
http://www.madboa.com/geek/openssl/#cert-self
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
A windows version of the OPENSSL tool is available here: