Security Enhancements in Informatica 9.6.x 1993-2016 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica Corporation. All other company and product names may be trade names or trademarks of their respective owners and/or copyrighted materials of such owners.
Abstract The following article provides an overview of the security enhancements Informatica made to its products in version 9.6.x. Supported Versions Informatica 9.6.x Table of Contents Overview.... 2 Secure Communication for the Informatica Domain.... 3 Support for Secure Communication.... 3 Keystores and Truststores.... 3 Kerberos Authentication.... 4 Web Client Security.... 4 Data Storage.... 4 Informatica Files.... 4 Passwords.... 5 Analyst Tool and Developer Tool Access.... 5 Administrator Accounts.... 5 Domain Audit Reports.... 6 Apache Tomcat.... 6 Overview In version 9.6.x, Informatica took steps to improve the security of its products in the following areas: Secure Communication for the Informatica domain Kerberos authentication Web client security Informatica files Data Storage Passwords Analyst tool and Developer tool access Administrator accounts Domain audit reports Apache Tomcat 2
Secure Communication for the Informatica Domain If a program transmits data over a network and the program does not use a secure channel, an attacker would be able to see the data in plain text. As a result, the channels are susceptible to a man-in-the-middle attack that compromises the confidentiality and integrity of the data. When secure communication is enabled, data or metadata that gets transmitted over the network is secured. Even if an attacker eavesdrops on the network, the attacker is unable to make sense of the data since it is encrypted. To improve secure communication between services in the Informatica domain, Informatica addressed the following areas in version 9.6.0: Secure communication for more components of the domain Keystores and truststores Support for Secure Communication Versions earlier than 9.6.0 Informatica supports secure communication for the following connections: Browser connections to web application services Web client connections to the Web Services Hub Any connection that uses JavaServer Faces (JSF) Informatica supports secure communication for the following connections: Browser connections to web application services Web client connections to the Web Services Hub Any connection that uses JavaServer Faces (JSF) Between the Informatica domain and PowerCenter services Between PowerCenter services Between the PowerCenter client and services Between the Informatica domain and the repository Between PowerCenter Workflow processes Additionally, Informatica certified SSL for the following native connectors for relational sources and targets: Oracle, DB2, and SQL Server. You can enable secure communication for the whole domain, for a service, or for a connection object. Keystores and Truststores Versions Earlier Than 9.6.0 Many Informatica customers use the default keystores and truststores Informatica ships with its products. All Informatica installations share the default keystores, truststores, and their associated keys. Therefore, anyone with access to an Informatica installer has access to the private key. An attacker with access to the private key could compromise the security of the domain. Informatica supports custom keystores and truststores for secure communication for the domain. Informatica strongly suggests customers use custom generated keystores and truststores. 3
Kerberos Authentication Effective in version 9.6.0, Informatica added support for Kerberos authentication and single sign-on. Kerberos authentication is an industry standard that provides secure authentication between clients, nodes, and services. Kerberos enables centralized access controls and single sign-on capabilities for several Informatica clients, such as the Administrator tool and the Analyst tool. Additionally, Kerberos authentication is supported for native relational connections to the following databases: Oracle, DB2, SQL Server, and Sybase. Web Client Security Effective in version 9.6.0, Informatica tests the security of the Administrator tool and Analyst tool based on the Open Web Application Security Project (OWASP) Application Security Verification Standard. Effective in version 9.6.1, Informatica tests the security of MetaData Manager based on OWASP standards. As a result of this testing, Informatica addressed multiple security issues, including the OWASP Top 10 2013 vulnerabilities. For more information about the OWASP Top 10, see the following page: https://www.owasp.org/index.php/top_10. OWASP publishes the Top 10 every three years. 2013 is the most recent list. The 2010 and 2007 lists are also available at the above link. Data Storage A generic encryption key secures sensitive data stored in the domain and repository as well as XML files on nodes in the domain. Anyone with the encryption key can decrypt the data. This key ships with all Informatica products. Informatica made the following changes to address this issue: Each Informatica installation generates a unique encryption key. This change ensures that the sensitive data in the domain can only be decrypted by users who have access to the unique encryption key. Access to the XML files is restricted based on operating system permissions and privileges. This change ensures that access to the files is controlled. Informatica Files Any user who can log in to a machine where the Informatica server is installed has access to the following sensitive files: Nodemeta.xml Encryption keys Keytab files Keystores Truststores 4
Access to these files is restricted based on operating system permissions and privileges. Since access to these files is limited, sensitive information is secured. Passwords In some instances, passwords are insecurely handled within client applications. Additionally, there are instances where passwords are unnecessarily transmitted from the server to the client and then stored by the client. Informatica made design changes to PowerCenter that prevent passwords from being sent from the server to the client or being stored within client applications. Analyst Tool and Developer Tool Access Fine-grained privileges cannot be specified for the Model Repository Service. Any user can log in to the Analyst tool or Developer tool and access available Model Repository Service instances. In addition to adding fine-grained privileges to the Model Repository Service, users require additional privileges to log in to the Analyst tool or Developer tool. Administrator Accounts The account lockout that was introduced in 9.5.0 does not affect the default administrator account. This limitation allows attackers to attempt a brute-force attack to guess the default administrator's password and gain access to Informatica applications. The default administrator account belongs to all groups and has all available permissions, privileges, and roles. To create additional administrator accounts, you must manually assign permissions, privileges, groups, and roles. Informatica took the following steps to address the issue: Added a lockout for the default administrator account. Added support for an Administrator group. Since the default administrator account is subject to a lockout, the threat of brute-force attacks on the account is mitigated. If the account is locked out, Informatica provides a secure way to unlock the account. Additionally, the Administrator group makes it easier to assign the administrator permissions, privileges, groups, and roles to users. 5
Domain Audit Reports In version 9.6.0, Informatica added support for domain audit reports. A user with the Security privilege can generate an audit report based on data, including the following user information: General information, such as user ID, name, and contact information Group or groups that are assigned to users Role or roles that are assigned to users Privileges that are assigned to users Object Permissions that are assigned to users Apache Tomcat Earlier versions of Informatica use an older release of Tomcat that may be vulnerable to a security issue that is addressed in later versions. Effective in version 9.5.1, Informatica supports Tomcat 7.x. For more information about Informatica support for Tomcat 7.x, see the following statement of support: https://kb.informatica.com/proddocs/pam%20and%20eol/1/informatica%20support%20statement%20for %20Apache%20Tomcat%20Patches%20for%209%205%201%20(v1.0).pdf. Informatica is committed to updating the version of Tomcat that is shipped with its products to mitigate the potential for attacks. To ensure that your Informatica installation uses an up-to-date version of Tomcat, upgrade to the latest version of Informatica. For example, effective in version 9.6.1 HotFix 1, Informatica uses Apache Tomcat 7.0.55.0. This version of Tomcat addresses the vulnerability described in CVE-2014-0227. For a list of vulnerabilities addressed in Tomcat 7.x, see the following information from Apache: http://tomcat.apache.org/security-7.html#apache_tomcat_7.x_vulnerabilities. Author Abhishek Devendraiah Senior Software Security Engineer 6