Natural Screen Tester multi-tier architecture supports end-to-end security by utilizing encryption and industry-standard, secured protocols within each layer of communication. The following document details the security measures that are available for each layer, as well as additional security mechanisms available in other Natural Screen Tester components.
Natural Screen Tester server and clients support the ciphers defined at JVM level. See list of supported SSL cipher suites.
Communication between Natural Screen Tester Server and the host can be encrypted using SSL V3. Both client and server authentication are supported. SSL X509 certificate is stored using standard Keystore implementations (JCEKS).
This feature is available for any host that supports SSL V3 communication, however, this has only been tested on Mainframe hosts. It is also possible to use the secured protocol SSH V2.
To configure an SSL connection between the host and Natural Screen Tester
server
Refer to Configuring the SSL Connection.
Natural Screen Tester allows managing password-protected users, groups and their permissions. It is possible to define certain permissions to a group, and then associate users with this group, giving the user the permissions defined for this group or to define specific users permissions. Each user/group can be assigned with read/write permissions at the application or folder level. The users' definitions are saved in an encrypted configuration file.
It is also possible to define users based on Integrated Windows Authentication (formerly NT Authentication).
It is possible to specify passwords of host users as part of the connection information sets of connection pools (to enable connection pooling with automatic login to the host application). These passwords are encrypted and saved in the application's repository.
In order to run the Natural Screen Tester server with a Java security manager enabled, the following flags should be appended to the Start_Process_Parameters in the <Natural Screen Tester installation>\bin\start-gxserver.bat file, or to the JAVA_OPTS in the <Natural Screen Tester installation>\bin\start-gxserver.sh file or to the Start_Process_Parameters in the GXNatural Screen TesterService.ini file:
-Djava.security.manager -Djava.security.policy=./conf/catalina.policy
In the policy file (specified in the path above) the following permissions are set inside a grant section (if a different policy file is used, one should add the following manually):
permission java.net.SocketPermission "localhost:3323" , "listen,resolve,accept";
permission java.net.SocketPermission "localhost:*" , "resolve,accept";
permission java.net.SocketPermission "<host name>:<host port>" , "connect,resolve";
permission java.io.FilePermission "${com.sabratec.gxhome}/-", "read, write, delete";
permission java.io.FilePermission "${catalina.home}/-", "read";
permission java.io.FilePermission "${java.home}/../-", "read";
permission java.io.FilePermission "${java.io.tmpdir}/" , "read, delete, write";
permission java.io.FilePermission "${java.io.tmpdir}/-" , "read, delete, write";
//Natural Screen Tester Xstream usage. Used mostly by Natural Screen Tester configuration persist to XML
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
permission java.lang.RuntimePermission "accessClassInPackage.sun.logging.*";
permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "reflectionFactoryAccess";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.lang.RuntimePermission "getClassLoader";
// For using Log4J
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
// Used for showing the server icon in the system tray. Uncomment if needed.
// permission java.lang.RuntimePermission "loadLibrary.GXUtil";
// permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.io.SerializablePermission "enableSubstitution";
permission java.sql.SQLPermission "setLog";
permission java.util.PropertyPermission "com.sabratec.*", "read,write";
permission java.util.PropertyPermission "com.softwareag.*", "read,write";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "org.apache.adb.properties", "read,write";
permission java.util.PropertyPermission "javax.xml.registry.ConnectionFactoryClass", "write";
Note:
lines with a close that starts with a single '<' character,
should be edited according to the text inside the close.
When Natural Screen Tester is running with SSL support, the following should be added as well:
permission java.io.FilePermission "${java.home}/jre/bin/keytool" ,"execute";