Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel

On this page:

Table of Contents
maxLevel2

Target audience:

CAST AI Administrators

Info
Summary: This section describes how to deploy the CAST Security Dashboard - used for detailed investigation of security related data stored in the CAST Dashboard Service schema generated during the analysis/snapshot generation process.

Prerequisites

...

(tick)

...

Must be already installed and configured on a compatible workstation:

Application ServerSupportedNotes
Apache Tomcat 7.0.x 64-bit (where x ≥ 20)(tick)

Please check the Apache Tomcat documentation to ensure that your JRE is supported by your chosen Application Server. For example:

  • Apache Tomcat is supported when installed on either a Microsoft Windows or a Linux Operating System.
  • Java JRE or JDK v. ≥ 1.8.x must be installed on the machine that will host the Application Server.
  • Apache Tomcat 9.0 x64-bit is supported with CAST Dashboard Package v. ≥ 1.17.
Apache Tomcat 8.0.x 64-bit(tick)
Apache Tomcat 8.5.x 64-bit(tick)
Apache Tomcat 9.0 x 64-bit(tick) 

...

(tick)

...

Required for accessing the Security Dashboard:

...

Browser

...

Supported

...

Supported by reference

...

Deprecated support

...

Notes

...

Mozilla Firefox

...

(tick)

...

To ensure compatibility you must only use a Dashboard Service schema installed with a version of CAST Security that exactly matches the major, minor or Service Pack release number of the WAR that you are deploying.

Info

You can link the Security Dashboard to one or multiple CAST Dashboard Service schemas, but each Dashboard Service schema must contain at least one snapshot

...

(tick)

...

The Security Dashboard is provided as a .WAR file (CAST-Security.war).

...

(tick)

...

The CAST Security Dashboard requires that the following CAST extension is downloaded and installed with the CAST schemas. Please ensure that this is the case:

In addition, if you intend to analyze a Java application and would like to include a User Input Security analysis, then you will also need to ensure the following extension is downloaded and installed.

See Download mandatory CAST Extensions for more information.

Actions

Step 1: Deploy the .war file on your web application server

...

Rename WAR file

The name of the .WAR file will be included in the URL used to access the dashboard in a browser, as listed below. Therefore, before you deploy the .WAR file, you may wish to rename it to your own chosen name:

  • ≤ 1.10.0 - the deployed folder will be named CAST-Security

  • ≥ 1.11.0 - the deployed folder will be named com.castsoftware.aip.dashboard.security

Deploy the WAR file

Locate the CAST-Security.war file and move it to the web application installation location. By default on Apache Tomcat this is set to:

No Format
%CATALINA_HOME%\webapps
  • If the Apache Tomcat server is running, the .WAR file will then be unpacked and deployed in a folder called CAST-Security. If the Apache Tomcat server is not running, start it up and the WAR file will be automatically deployed.
  • Once deployed you now need to configure the context.xml file to tell the web application server where the Dashboard Service(s) are stored. This file is located here:
No Format
%CATALINA_HOME%\webapps\CAST-Security\META-INF\context.xml

context.xml file configuration

Tomcat 8 / 8.5 - configuration for one Dashboard Service stored on CSS

If you are using Tomcat 8 / 8.5 to host the Security Dashboard, please follow these instructions:

  • Open the context.xml file (as detailed above) with a Text editor.
  • By default, the file will contain an uncommented template as follows - this is tailored for connections to Dashboard Services located on CAST Storage Service 2 using Tomcat 8/8.5:
No Format
<Resource name="jdbc/domains/AED" url="jdbc:postgresql://localhost:2280/postgres"
	connectionInitSqls="SET search_path TO [Central Schema];"
	username="operator" password="CastAIP"
	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
	validationQuery="select 1"
	initialSize="5" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/>
  • Set the URL parameter to the server on which the Dashboard Service is located:
    • alter the "localhost" to the name of the server on which the host CSS is located
    • change the port from 2280 (CAST Storage Service 2) to 2282 if you are using CAST Storage Service 3
  • Change [Central Schema] to the name of the Dashboard Service schema (see Create CAST Security schemas).
  • Ensure the username and password parameters for your target CSS are correct (note that if you need to encrypt the username and password to avoid entering names in clear text, please see: Encrypt login and password for database and LDAP from the CAST AIP documentation)
  • You should end up with a section like this:
No Format
<Resource name="jdbc/domains/AED" url="jdbc:postgresql://NEFYN:2280/postgres"
	connectionInitSqls="SET search_path TO SECURITY_CENTRAL;"
	username="operator" password="CastAIP" 
	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
	validationQuery="select 1"
	initialSize="5" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/>
  • Following any changes you make, save the context.xml file.
Note
Note that it is critically important to configure the initialSize, maxTotal, and maxIdle parameters according to your consumption use case and the number of schemas you want to configure. The default values are high but could probably be decreased to limit the number of active connections to your database instance (eg. initialSize="2" maxTotal="10" maxIdle="2"). Please consult the relevant Apache Tomcat documentation: https://tomcat.apache.org for more information about these parameters.

Tomcat 7 - configuration for one Dashboard Service stored on CSS

If you are using Tomcat 7 to host the Security Dashboard, please follow these instructions:

  • Open the context.xml file (as detailed above) with a Text editor.
  • By default, the file will contain an uncommented template as follows - this is tailored for connections to CAST Dashboard Services schemas located on CAST Storage Service 2 using Tomcat 8/8.5:
No Format
<Resource name="jdbc/domains/AED" url="jdbc:postgresql://localhost:2280/postgres"
	connectionInitSqls="SET search_path TO [Central Schema];"
	username="operator" password="CastAIP"
	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
	validationQuery="select 1"
	initialSize="5" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/>
  • You need to comment this template by adding <!-- and --> around the section:
No Format
<!--
<Resource name="jdbc/domains/AED" url="jdbc:postgresql://localhost:2280/postgres"
	connectionInitSqls="SET search_path TO [Central Schema];"
	username="operator" password="CastAIP"
	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
	validationQuery="select 1"
	initialSize="5" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/>
-->
  • Now locate the Tomcat 7 template for CAST Storage Service - this is located here:
No Format
<!--  Tomcat 7 Documentation : http://ci.apache.org/projects/tomcat/tomcat7/docs/jndi-resources-howto.html -->
<!-- These connections examples on Tomcat 7 are provided for CSS connections especially useful for REST API on central database.
add parameter if you don't want to use the connection pool :
- for CSS : initConnectionSqls="SET search_path TO ${schema};"

template for resources on CSS with connection pool mode :
    <Resource name="jdbc/domains/${domainName}"
            url="jdbc:postgresql://${host}:${port}/postgres"
            username="${user}" password="${password}"
            auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
            validationQuery="select 1" initialSize="5" maxActive="20" maxIdle="10" maxWait="-1"/>

template for resources on CSS without connection pool mode :
    <Resource name="jdbc/domains/${domainName}"
            url="jdbc:postgresql://${host}:${port}/postgres"
            username="${user}" password="${password}"
            initConnectionSqls="SET search_path TO ${schema};"
            auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
            validationQuery="select 1" initialSize="5" maxActive="20" maxIdle="10" maxWait="-1"/>
-->
  • Copy the Tomcat 7 for CSS without connection pool mode template into uncommented white space:
No Format
<Resource name="jdbc/domains/${domainName}"
	url="jdbc:postgresql://${host}:${port}/postgres"
	username="${user}" password="${password}"
	initConnectionSqls="SET search_path TO ${schema};"
	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
	validationQuery="select 1" initialSize="5" maxActive="20" maxIdle="10" maxWait="-1"/>
  • Set the ${domainName} value to AED
  • Set the URL parameter to the server on which the Dashboard Service schema is located:
    • change the ${host} to the name of the server on which the host CSS is located
    • change the ${port} values to 2280 (CAST Storage Service 2) or 2282 (CAST Storage Service 3)
  • Ensure the ${user} and ${password} parameters are correct - use the operator and CastAIP username/password combination if you have not changed these defaults (note that if you need to encrypt the username and password to avoid entering names in clear text, please see: Encrypt login and password for database and LDAP from the CAST AIP documentation)
  • Change ${schema} to the name of the Dashboard Service (see Create CAST Security schemas).
  • You should end up with a section like this:
No Format
<Resource name="jdbc/domains/AED" 
	url="jdbc:postgresql://NEFYN:2280/postgres"
	username="operator" password="CastAIP"
	initConnectionSqls="SET search_path TO V83_CENTRAL_CSS;"	
	auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
	validationQuery="select 1" initialSize="5" maxActive="20" maxIdle="10" maxWait="-1"/>
  • Following any changes you make, save the context.xml file.
Note
Note that it is critically important to configure the initialSize, maxActive and maxIdle parameters according to your consumption use case and the number of schemas you want to configure. The default values are high but could probably be decreased to limit the number of active connections to your database instance (eg. initialSize="2" maxActive="10" maxIdle="2"). Please consult the relevant Apache Tomcat documentation: https://tomcat.apache.org for more information about these parameters.

Configuring access to multiple Dashboard Services for Tomcat 7/8/8.5

If you would like to configure access to multiple Dashboard Services for use with your Security Dashboard, please do as follows:

  • For each additional Dashboard Service you want to configure access to, please add an uncommented configuration template (these are supplied in the context.xml file - ensure you chose the correct template for Tomcat 7 or Tomcat 8/8.5) for the target CSS underneath the section configured for your initial Dashboard Service
  • First change the name parameter to something other than "jdbc/domains/AED" (the default "name" used in the pre-provided templates) - CAST recommends using the name of your target Dashboard Service - for example "jdbc/domains/SECURITY_CENTRAL" (you must retain the "jdbc/domains" part of the the name). This is because each Dashboard Service you connect to the Security Dashboard must have a unique "name" parameter
  • Set the URL parameter to the server on which the additional Dashboard Service is located:
    • change the "${host}" to the name of the server on which the host CSS is located
    • change the ${port} values to 2280 (CAST Storage Service 2) or 2282 (CAST Storage Service 3)
  • Ensure the ${user} and ${password} parameters are correct - use the operator and CastAIP username/password combination if you have not changed these defaults (note that if you need to encrypt the username and password to avoid entering names in clear text, please see: Encrypt login and password for database and LDAP from the CAST AIP documentation)
  • Change ${schema} to the name of the Dashboard Service (see Create CAST Security schemas).
  • Following any changes you make, save the context.xml file.

Connection pooling

It is possible to modify the connection configuration for the Security Dashboard to pool multiple CAST Dashboard Service schemas in one resource "domain".  In other words, you no longer have to configure one resource (in the context.xml) per CAST Dashboard Service "schema/database", instead, one resource (in the context.xml) can function for multiple CAST Dashboard Service schemas/databases. Please see Appendix - CAST Dashboard Service schema connection configuration pooling (from the CAST AIP documentation) for more information.

Install the license key

As explained in Dashboard Service license key configuration, when you want to access a CAST Dashboard Service via the Security Dashboard), a special license key is required. This license key grants specific access to one or multiple CAST Dashboard Services for the web application in which it is installed (i.e. the Security Dashboard).

You must therefore install the license key and, if you are using a restricted license key, define data access authorization. These two steps are explained in Dashboard Service license key configuration in the sections How do I install a license key? and How to authorize users when using a RESTRICTED license key.

Restart Tomcat

Before proceeding, ensure you restart your application server so that the configuration changes you made are taken into account.

Test access to the Security Dashboard

  • You can now access the Engineering Dashboard using the URL:
No Format
http://<server_name>:[<port_number>]/CAST-Security
  • You should see the login page as follows - this indicates that the initial setup was successful:

Image Removed

Info
Error messages are documented in Error Messages (from the CAST AIP documentation).

Step 2: Configure user authentication

Step 2 involves configuring how your users will authenticate with the Security Dashboard. Most organizations opt for LDAP/Active Directory integration so that users can use their corporate username/password to access the resources they need. The Security Dashboard also has a built in username/password authentication mechanism which is enabled "out of the box".

See Configuring user authentication.

Step 3: Configure roles

This step involves configuring roles for users and groups that are accessing the CAST Engineering Dashboard. See Configuring user roles.

Step 4: Upload snapshot data for display

Before your users can "consume" data via the CAST Engineering Dashboard, you need to generate snapshot data.

Step 5: Configure data authorization

This step involves configuring data Authorization. An authorization defines permission to a user or group of users to access and "consume the data" in a specific Application in the Security Dashboard. If permission is not granted then any information related to this Application will be not accessible: application properties such as name, technologies or grades and measures, etc.Therefore, an Authorization must be defined before a user/group of users can access a specific application.

See Configuring data authorization.

Additional information

You can find additional information about advanced configuration changes in the CAST AIP documentation, for example:

There is also additional information about implementing an enhanced security configuration for your application server in CAST Dashboard Package - Apache Tomcat installation and configuration options:

Children Display
alltrue
pageDOCCOM:CAST Dashboard Package - Apache Tomcat installation and configuration options