VU#180876 - GE Fanuc Proficy Information Portal transmits authentication credentials in plain text CERT has reported a security issue

with Proficy Portal, which could allow intercepting the password of a user during the login process. To mitigate this issue, configured Proficy Portal using one of the two following configuration options:

Integrated Windows Authentication

More information can be found in the Proficy Portal user documentation under the topic Single Sign-On. Integrated Windows authentication (formerly called NTLM, and also referred to as Windows NT Challenge/Response authentication) is a secure form of authentication because the user name and password are hashed before being sent across the network. When you enable Integrated Windows authentication, the user's browser proves its knowledge of the password through a cryptographic exchange with your Web server, involving hashing.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Lib rary/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true.

If domain security is being utilized, the easiest and perhaps most secure method of transmitting username and password information is to enable Windows Authentication within IIS. In this mode, IE and IIS will negotiate the security mechanisms to use and automatically authenticate the user logged into the machine running IE from the IIS server. No password is ever passed between the two computers and therefore cannot be intercepted.

To enable IIS Windows Authentication, select the Properties page of the Proficy Portal virtual directory web site within IIS.

Select the Directory Security tab and then select the Edit button form Authentication and access control. Make sure you clear the Enable anonymous access checkbox and select Integrated Windows authentication

SSL Encryption
Windows Authentication is an easy and effective way to ensure that authentication happens securely between the client and the server. If this is not sufficient or your facility is not using domain user authentication, the other option is to encrypt all traffic between the client and server over an SSL (Secure Sockets Layer) connection. This will ensure that all network messages are encrypted. This will include username and password information along with all the data that is returned to populate displays. As a result, there is a trade-off between security and performance.

Support has been added info Proficy Portal 2.5 to support the establishment of secure connections between the client and server. This connection utilizes

the Secure Socket Layer (SSL) protocol to encrypt the messages during travel across the network. SSL technology is dependent on the existence of public/private keys to perform the encryption/decryption as well as a certificate to authenticate that the keys are legitimate.

Default SSL port

SSL traffic uses a different port number then normal HTTP traffic. By default this port is 443. Verify that the port number is set correctly by using the IIS Manager and right-click on the web site, and select Properties.

Certificate
If a certificate does not already exist for the server, then a certificate needs to be acquired from a Certificate Authority (CA) that is specific to the server

and supports SSL. These can be purchased from companies such as Verisign, Thawte, etc.

Before Java RMI can be used with SSL, the certificate needs to be exported from IIS and made available to the Proficy Portal. To do this, use the certificate export wizard in the IIS Manager as follows:

Select the Directory Security tab from the web site properties page.

Press the View Certificate button under Secure communications.

Select Details and press the Copy To File button

This will start the Certificate Export wizard.

Hit the Next button to bring up the Export Private Key dialog.

The default is not to export the private key, however without it, the SSL sockets in Java RMI cannot encrypt/decrypt the messages. Select Yes, export the private key. This will require a password to be entered later in the procedure. It is important that Proficy Portal to be aware of this password so it may access the keys. You will configure Proficy Portal to use the correct file and password later.

Make sure PKCS#12 format file is selected

Enter a password and dont forget it, we will need it later.

Save the key material to a file somewhere on the server.

Select Finish when prompted at the final dialog to complete the export.

keyconfig
The certificate and its keys have now been exported to a PKCS#12 format file. This file will be used by Proficy Portal as its keystore. For this to work, Proficy Portal needs to know the location and name of the file, as well as the password you provided so it may actually load the contents of the file. To do this, a utility is provided in the \webapps\infoAgentSrv\WEB-INF folder called keyconfig.cmd. When it runs, it simply prompts for the name and location of the exported file

(Make sure the location is a complete path and filename)

and the password used to access it.

This utility will create a file in the WEB-INF folder called .keyconfig. It contains the name and location as well as password in an encrypted format. This key is loaded at startup and used to access the actual keystore file.