Secure deployment for Service Virtualization
This topic describes the various security aspects to consider when installing Service Virtualization.
To learn about the default ports that are available for Service Virtualization, see Service Virtualization TCP port overview. Although the installer opens these ports on the local firewall, it is likely that you will need to configure additional firewalls, so that the consumers of the virtual services will be able to access them.
Privileges and access rights
The required privileges and access rights are described in the Software requirements.
When are administrator privileges needed by SV Designer end users?
As mentioned in the Software requirements, administrator privileges are required to create a new HTTP agents. These privileges are required since this action might need to open a port on the firewall or register an SSL certificate.
When this configuration is handled automatically, and there is no need for administrator privileges, you can disable them in the app config. For details, see Windows firewall and TCP port configuration.
How to avoid exposing passwords in files
There are multiple places where plain text passwords could be stored without encryption.
- Agent configuration
- Application configuration files
- Project files
Password encryption is enabled by default during installation. For details, see Password encryption.
How to avoid exposing passwords on Command Line
When using SVConfigurator to manage the Service Virtualization server, you can authenticate either by providing a username/password on the command line or by referencing a server from a properties file. The latter is often more secure as some operating systems might cache executed commands. You must however take precautions to protect this file, since passwords there are in plain text. For information about the servers.properties file, see Deploy a virtual service on multiple Service Virtualization servers.
How to avoid exposing sensitive data in the data models
Data models can contain sensitive information such as social security numbers and credit card numbers, in the event that the data model was populated with production data. To mask this sensitive data, use the data masking feature. It must be enabled before the recording or importing is performed. Data recorded prior to the enabling of data masking, will not be masked.
Using SSL Certificates
During installation, you can use your own certificate (default) or allow the installer to generate a self-signed one. It is recommended to use a certificate trusted by the clients in user environment. This will prevent warnings when users access the Service Virtualization Management web interface, communicate with HTTPS based virtual services, and so forth. This will require you to request a certificate some time before the installation, as it usually takes time to obtain one.
To change a certificate after the installation, follow the steps provided in SSL certificate specification.
Note: HTTP Strict Transport Security response header (HSTS) is enabled for Service Virtualization Management endpoint (port 6086) by default. However, HSTS header is produced only if the Common Name of the SSL certificate matches the hostname of Service Virtualization Management URL.
To disable HSTS, in the [INSTALLLOCATION]\Server\bin\SvmRoot\HP.SV.ServiceVirtualizationManager.exe.config file, change the services.useHsts parameter to false. You can also change the max age by modifying the services.hsts.maxAge parameter in the configuration file.
All versions of SSL and older versions of TLS are no longer considered safe. By default, the Service Virtualization installation enables all of these protocols. They are enabled since legacy systems might not communicate with the newer protocols. If your environment supports newer secured versions, you can disable the older ones.
For details on how to modify the default settings, see Enable TLS to replace deprecated SSL protocols.
SV Server Authentication and Authorization Providers
The Service Virtualization server uses Windows, LDAP, and file-based authentication and authorization providers. By default, the Windows installation uses Windows authentication and Linux uses a file-based provider. The file-based provider on Linux is not considered secure. Instead configure an LDAP provider. For details on how to configure the providers, see LDAP authentication provider.
The Service Virtualization server restricts access to certain actions and resources based on the privileges of the user who logs in. By default, only the user who installed Service Virtualization is privileged to log in to the Service Virtualization server and perform changes.
Administrators should determine who will need to perform tasks on the SV Server and only assign the required permissions. For more information about default groups and server authorization, see Authenticate the SV Server.