Security guidance for the Web Services Option Pack

Protect your server’s TLS certificate private key by storing this in the nShield HSM. This will provide extra protection for the confidentiality of this key, even in the event of server comprise.

Do not change the default ownerships or permissions for the TLS directories and files set by the WSOP installer:

The path under /opt/nfast/webservices/corecrypto must be owned by wsopd user and group. Only wsopd user should have permission to write to files in this directory.

Ensure log levels are set appropriately for your environment. More verbose log levels may expose information that is useful for auditing who uses Web Services Option Pack, but the log information will also contain which REST crypto API operations have been performed. While this may be useful for diagnostics, be aware that this log information could be considered sensitive and should be suitably protected when stored.

The logs files may grow quickly if left unattended for long time. Whoever maintains the web service is responsible for log rotation.

Private key material for Security World keys is not exposed by Web Services Option Pack, it is however, usable by remote clients. Ensure client authentication is enabled at all times.

If using client certificates, create and use a separate root certificate and client certificate hierarchy that is dedicated to servicing clients of the Web Services Option Pack.

Maintain the certificate revocation list, restricting clients that should no longer have access to your Security World keys.

Use issued client certificates only in client applications, avoiding having them imported into regular web browsers, since this may enable a Cross Site Request Forgery attack.

The Web Services tar file integrity can be verified by using the published hash. It is recommended that you verify the integrity of this file before executing it.

The network environment of Web Services Option Pack should be suitably protected to maintain its availability (for example, through use of firewalls, intrusion detection/prevention systems).

Ensure that the Web Services Option Pack’s system clock is set accurately and can only be modified by an authorized system administrator, so that certificate lifetimes are correctly interpreted.

Only authorized system administrators should have access to the Web Services Option Pack and only trusted software should be run on the platform hosting the Web Services Option Pack.

Standard virus prevention and detection measures should be taken on the platform hosting the Web Services Option Pack.

CRL revocation list shall be maintained continuously by pulling the CRL at regular intervals, or whenever it is updated. Web service operation should not be permitted if this cannot be performed.

The Web Services Client Certificates must be created only for approved applications.

Ensure that the integrity of the non-sensitive Security World resource data that exist in WSOP’s database is protected and that access to this database is restricted to authorised and trusted entities.

Ensure that regular backups are taken of WSOP’s database and that these backups are stored in a secure location that only authorised entities can access.

Ensure that any authorised entity accessing WSOP’s database is provided with the least privileges required to perform their legitimate function.

Ensure that all the components of the WSOP system, including the database, are protected from physical or logical access by unauthorised entities.