What This Section Covers

This section contains industry standard best practices and recommendations to secure the THREDDS Data Server for use in a production environment.

Why Is Security Important?

Misconfiguration of Tomcat or the TDS can introduce security vulnerabilities in your production server environment. The following recommendations should be considered “layers” of security: not completely effective by themselves, but more potent when combined.

This is not a complete laundry list of security fixes! Please use it as a starting point when securing your server.

Reporting A Security Issue

To report a potential security-related issue or bug, contact: security@unidata.ucar.edu

Recommendations

Unidata strongly recommends performing the following tasks if you intent to run the TDS in a production environment:

  1. Enable TLS/SSL Encryption
  2. Use Digested Passwords
  3. Secure Tomcat Manager Application
  4. Remove Unused Web Applications
  5. Block Non-Essential Ports
  6. Keep Software Up-To-Date

Restricting Access To The TDS

You can restrict access to specific datasets or the TDS application as a whole:

Modifying The Security Manager

The JVM Security Manager that comes with Tomcat imposes a fine-grained security restrictions to all Java applications running the JVM. It confines the Java applications in a sandbox, and restricts them from utilizing certain features of the Java language Tomcat normally is able to access.

If you are hosting untrusted servlets or JSP on your server, then implementing the Security Manager may be a good idea if you know what you are doing. Be aware the Security Manager may prevent trusted web applications (like the TDS) from performing certain functions if configured too restrictively.

Most likely, you will have not any need to perform these adjustments.