Page tree
Skip to end of metadata
Go to start of metadata

On this page:

Target audience:

CAST Platform Administrators

Summary: this section provides details about deploying and configuring the "Front Office" components as part of a secured deployment.

Introduction

As described in Deployment - security, to deploy CAST AIP securely, the various CAST AIP components are divided into two distinct groups known as Front and Back Office. A standard CAST AIP installation is described in Install CAST AIP which you should read and understand. However, this section describes all the additional configuration that should be completed for the Front Office components (over and above the standard CAST AIP installation) to ensure that the deployment of CAST AIP conforms to security standards.

Delivery folder

The Delivery folder is first and foremost a location used by the CAST AIC Portal for storing successive and compressed versions of an application's source code as packaged by the Delivery Manager(s) using the CAST Delivery Manager Tool. In addition, the CAST Management Studio also requires access to this same Delivery folder so that source code packaged by the Delivery Manager(s) can be acquired and then analyzed.

As such, the choice of location for the Delivery folder is extremely important and may impact where the CAST AIC Portal is installed.

Please see:

CAST Storage Service

If you decide to use the CAST Storage Service (a dedicated database system provided by CAST) to host the Storage components (the CAST schemas: Management Service, Analysis Service, Dashboard Service and Measurement Service) instead of using a commercially available (andsupported) RDBMS (such as Microsoft SQL Server or Oracle Server), you will need to use a dedicated physical machine 

You can deploy the CAST Storage Service either on Linux or Windowshowever, for security and performance reasons, it is highly recommended to deploy the CAST storage Service on Linux:

Web application server and web applications

The objective is to configure the CAST web applications in accordance with OWASP (Open Web Application Security Project) guidelines. This configuration has been tested by CAST via a security audit.  To secure the web applications, you will need to configure:

  • The web application server on a dedicated machine (CAST provides documentation for deployment on Apache Tomcat only. Other web application servers may be compatible (see Supported Platforms), but no documentation is provided).
  • Each web application (i.e. the CAST AIC Portal, CAST Application Analytics Dashboard, CAST Application Engineering Dashboard etc.):
    1. Use of Active Directory/LDAP authentication methods
    2. Use of the Audit Trail to trace end user activities
    3. Secure configuration of back-end database access (only relevant for the AAD/AED/RestAIP web applications)

Additionally, you can also configure a reverse proxy (using an Apache web server) to hide the Apache Tomcat web application server or take advantage of secure access via HTTPS.

Web application server

Web applications

CAST AIC Portal

Securely configure the CAST AIC Portal as described in CAST AIC Portal - security configuration options. This page details the following security configuration options:

AAD - AED - RestAPI

Securely configure the CAST Application Analytics Dashboard/CAST Application Engineering Dashboard/CAST Rest-API as described in AAD - AED - RestAPI - security configuration options. This page details the following security configuration options:

End-users / Delivery Managers and the CAST Delivery Manager Tool

The CAST Delivery Manager Tool is a standalone end-user tool that entirely manages the discovery, selection, extraction and delivery of source code ready for analysis in the CAST Management Studio. The CAST Delivery Manager Tool will be prevented from being downloaded from the CAST AIC Portal to a workstation if the following Java JRE settings available in the Java Control Panel are all enabled:

Security tab

Security Level set to Very High

Java 7Java 8

Advanced tab

  • Perform certificate revocation checks on is set to All certificates in the chain of trust

AND

  • Check for certificate revocation using is set to Online Certificate Status Protocol (OCSP)

 

Recommended settings

CAST recommends that ONE of the following settings is used instead:

  • Set the Security Level to High

OR

  • Set Perform certificate revocation checks on to Publisher’s certificate only

OR

  • Set Check for certificate revocation using to Certifcate Revocation Lists (CRLs)

OR

  • Set Check for certificate revocation using to Both CRLs and OCSP

OR

  • Put the CAST AIC Portal’s URL into the Exception Site List in the (Security tab of the Java Control Panel):

  • No labels