2.2.9. Server cluster security

<< Prev   Next >>

2.2.9.1. General information

When 1C:Enterprise runs in client/server mode, data security is achieved by ensuring that 1C:Enterprise data is only accessed using 1C:Enterprise tools. In this context, a number of major security areas can be defined.

All client applications and external connections access the 1C:Enterprise data only via 1C:Enterprise server cluster. For successful authentication, the user must enter their valid 1C:Enterprise username and password.

1C:Enterprise server cluster data processes infobase and internal data. The server cluster is therefore responsible for data security of the following areas (for area numbering explanation, see fig. 11):

• Data exchange between the client and server cluster (1)
• Data exchange between the server cluster console and server cluster (2)
• Data exchange between the server cluster and web server (7)
• Internal data storage in the server cluster (3)
• Data exchange within the server cluster (4)

The infobase is stored in a database. Infobase security, as well as data security during exchange between the server cluster and the database server, is provided by the DBMS (5).

When an infobase is connected via a web server, data security during exchange between the client application and web server is provided by the web server (6).

2.2.9.2. Security of data exchanged between a client and a server cluster

2.2.9.2.1. General information

Security of data exchanged between the client and server cluster is achieved due to data encryption. Three security levels are available:

• Never
• Connection only
• Always

The Never level is the least secure, the Always level is the most secure. Secure TCP/IP connection with RSA and Triple DES encryption is used.

2.2.9.2.2. "Always" security level

The Always security level provides full-range protection for data (including passwords) being exchanged between the client and the server cluster.

The client and server cluster interaction protocol is outlined below.

The same interaction protocol is used for the cluster manager (rmngr) and for the working process (rphost): once the connection is established, the first data exchange procedure is RSA encrypted while all subsequent data exchange uses Triple DES encryption.

The security level is specified when an infobase is created. This information is stored both on the client (in the infobase list) and in the server cluster (in the server registry). You cannot change the security level of an infobase after it has been created. The client application can, however, request that the security level be increased.

For that reason, when a connection is established, the client generates a private and a public RSA keys and sends the public key and security level specified on the client for this infobase to the server cluster. This is the target security level.

The server cluster selects the higher security level from the one sent by the client and one specified for this infobase in the cluster registry. This is the actual security level. Then, the server cluster generates a Triple DES session key and sends it (together with the actual security level) to the client, after encrypting it with the client's public key.

All subsequent data exchange is performed at the actual security level. Both the client and the server encrypt the transferred data using the Triple DES session key.

2.2.9.2.3. "Connection only" security level

The Connection only security level provides partial protection for data (passwords only) being exchanged between the client and the server cluster. This security level offers good balance between safety and performance.

The infobase data is sent without encryption. This constitutes a negligible performance impact.

However, crucial information (passwords) is sent in encrypted form. Therefore, any malicious user that intercepts the data stream will not be able to read any significant amount of the infobase data. Password encryption prevents the malicious users to pass infobase authentication in order to gain full data access or perform any infobase operations.

The client and server cluster interaction protocol is outlined in fig. 13.

Once the connection is established, the first data exchange procedure is RSA encrypted while all subsequent data exchange uses Triple DES encryption until the authentication is completed. All data exchange after that moment is not encrypted.

2.2.9.2.4. "Never" security level

The Never security level offers the weakest protection at the lowest performance cost. Absolute majority of data is sent without encryption.

The client and server cluster interaction protocol is outlined below.

Once the connection is established, the first data exchange procedure is RSA encrypted. All data exchange after that moment is not encrypted.

If the client application and server cluster are located on the same computer and security level is set to Never, all data is sent without encryption.

2.2.9.3. Security of data exchanged between the server cluster console and a server cluster

Security of data exchanged between the server cluster console and server cluster is achieved due to data encryption. The following security levels are used: Never, Connection only, and Always.

The server cluster console interacts with the server agent (ragent process). Required security level is specified at server agent startup. The server agent selects and applies the higher security level from the security level specified at startup and security levels of all clusters located on the main server. Cluster security level is specified when the cluster is created (interactively or programmatically).

2.2.9.4. Security of data stored in a server cluster

2.2.9.4.1. General information

A server cluster uses internal data, such as a list of server clusters, cluster registries, and more. All internal data is stored in files in two directories:

• Application data directory
• Temporary files directory

The general policy of handling the internal data is that only the cluster manager (rmngr) and the server agent (ragent) can access internal data of the server cluster. Working processes (rphost) access internal data only via the cluster manager. Since these processes can run configuration code snippets, they are considered potentially dangerous.

2.2.9.4.2. Security of application data directory

During 1C:Enterprise server cluster deployment, a special directory, which is used to store 1C:Enterprise server cluster files, is created in the application data directory.

Full rights for this directory are granted to the user account USR1CV8 that runs the server agent by default. No other users are allowed to access this directory. The server agent starts the cluster manager under the same user account that was used to start the server agent.

The server agent also starts working processes. By default, a working process is started under the same user account that was used to start the server agent. However, an additional operating system user account can be created that will start working processes only. This technique is used to prevent the configuration code from directly accessing internal data.

To start a working process under a different user account (not the user account that was used to start the server agent), you need to place swpuser.ini file in the application data directory for the server agent user.

2.2.9.4.3. Security of temporary files directory

Temporary files data is protected in a different manner. As the system temporary files directory is a shared directory, the access rights for each temporary file are granted separately.

When a temporary file is created by 1C:Enterprise server cluster, the USR1CV8 user is granted full rights to the created file. No other users are allowed to access this file. This means that all the data stored in temporary files is protected from unauthorized access.

2.2.9.4.4. Encryption of passwords stored in internal data of server cluster

Server cluster administrator passwords and infobase access passwords are encrypted and stored in the server cluster. SHA1 and AES128 algorithms are used for password encryption.

• SHA1 is used to store passwords that 1C:Enterprise checks (for example, cluster administrator password, main server administrator password). Passwords themselves are not stored and therefore cannot be recovered. Only their checksums are stored for comparison against the checksums of entered passwords.
• AES128 is used to store passwords that can be decrypted (for example, DBMS passwords).

2.2.9.5. Security of data exchanged within a server cluster

Security of data exchanged within a server cluster (for example, between working processes and the cluster manager) is achieved due to data encryption. The following security levels are used: Never, Connection only, and Always.

The cluster security level is applied to interactions between a working process and the cluster manager. The security level applied for interaction between the server agent and cluster manager is the higher security level selected from the security level used at server agent startup and the security level of the cluster served by this manager.

2.2.9.6. Security of data exchanged between a server cluster and a DBMS

Security of the data channel between a server cluster and a DBMS is provided by DBMS tools. All supported database management systems can encrypt the traffic between client components in a cluster and the DBMS. All supported database management systems can exchange data over SSL.

2.2.9.7. Security of data exchanged between a client and a web server

SSL or TLS encryption protocols are used to secure the channel between a web client (or a thin client) and the web server.

These protocols are supported by web server HTTPS connection. This requires that a valid server certificate is available on the server, guaranteeing authenticity of the server public key used for data encryption. Client certificates that ensure client authenticity can be used as well.

You need to consider restrictions related to the operating system running the application. For example, the Linux client does not support client certificates from the Windows certificate store.

2.2.9.8. Security of data exchanged between a web server and a server cluster

Security of data channels between a server cluster and a web server is provided by data encryption algorithms available in 1C:Enterprise: RSA and Triple DES.

Connection between a cluster and a web server is only secured by the cluster in accordance with the properties of the connected infobase.

2.2.9.9. Main server and cluster administrators

1C:Enterprise server cluster is administrated either with or without administrator authentication.

If authentication is disabled, any user connected to a main server of the cluster can perform any administrative actions both on the main server and any cluster on this server. By default, administrator authentication is disabled when 1C:Enterprise server cluster is deployed.

To restrict the number of users allowed to perform administrative tasks, you can create separate administrator lists for the main server and for each cluster on this server. Areas of authority of main server administrators and cluster administrators do not overlap.

Users authenticated as main server administrators can perform administrative tasks on the main server. However, to perform any administrative tasks on a specific cluster, the user must be authenticated as administrator of this cluster. Authentication as the server administrator is not required for this purpose.

Main server/cluster administrator authentication is enabled automatically as soon as at least one administrator is added to the main server/cluster administrator list.

If authentication is enabled, users not authenticated as main server administrators can only view or modify main server connection parameters in the server cluster administration console.

User not authenticated as cluster administrators can only view cluster properties. Moreover, these users can also create objects in a cluster, infobase, and so on using 1C:Enterprise language expressions, but they cannot register these objects in the cluster.

<< Prev   Next >>