Thursday, March 9, 2017

Securing Openshift Origin Nodes

Background

We have deployed Openshift Origin based cluster based on  Origin Milestone 4 release. When security assessment performed on several of the applications in the cluster, some issues crop up and needs further remediation. Some issue related to application code, some others related to the openshift node configuration, which we shall discuss here.

SSH issues

One of the issues is SSH weak algorithm support.
To remediate that, we need to tweak /etc/sshd/sshd_config by inserting additional lines :

#mitigasi assesment security SSH weak algoritm support
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com

SSL issues

The other issue is related to SSL crypto algorithms. The cipher suite 3DES is no longer considered secure, so  we need to tweak /etc/httpd/conf.d/000001_openshift_origin_node.conf (line 63) by adding   !3DES:!DES-CBC3-SHA  :

SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES:!DES-CBC3-SHA


We also need to disable SSLv2 and v3 in 000001_openshift_origin_node.conf (line 58) :

SSLProtocol ALL -SSLv2 -SSLv3

And, because SSL certificate chains its a bit tricky, we are required to have SSLCertificateChain line too (inserted in line 32 of the same file)

SSLCertificateChainFile /etc/pki/tls/certs/localhost.crt

The httpd SSL virtual host configuration conflicts with openshift's, so need to delete all virtual host line in /etc/httpd/conf.d/ssl.conf .

The final step, files localhost.crt, localhost.key in /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key respectively  need to be replaced with one from the company's valid SSL certificates.

Restart httpd afterwards.

SSL in node proxy issue

Nodejs websocket proxy runs in port 8443, and also have SSL issues. We use the websocket proxy if the application in openshift requires websocket technology.

In /etc/openshift/web-proxy-config.json (between private key line at line 125 and } in 126), need to add these line :

"ciphers" : "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:+3DES:!DES-CBC3-SHA"

Also need to replace this file - /opt/rh/nodejs010/root/usr/lib/node_modules/openshift-node-web-proxy/lib/utils/http-utils.js with the latest from https://raw.githubusercontent.com/openshift/origin-server/master/node-proxy/lib/utils/http-utils.js. Just edit the file in vi, delete all lines, insert with the raw lines from github.

Conclusion

Some maintainance are needed to ensure openshift origin nodes are not a security liability. These steps would reduce number of security issues need to be dealt with when securing apps in the Openshift origin cluster.


No comments: