Clustering

OX App Suite can be set up as a multi-node cluster configuration that uses network based communication of certain information between all nodes. Even if this kind of communication usually takes place within a secured network, hardening and care is advised to avoid data interception or injection.

Automatic Node Discovery

Node discovery is implemented using Hazelcast’s node discovery implementation. Therefore, the same mechanisms as offered by Hazelcast are available for cluster discovery. This includes "empty" cluster discovery (for standalone OX App Suite middleware nodes), "static" cluster discovery using a set of IP addresses in the configuration file, and "multicast", using UDP multicast for cluster discovery.

For both "static" and "multicast", nodes require a unique, common group name and password to join the cluster.

Cluster Communication

Communication within the cluster is performed using the Hazelcast API. It provides network-based access to data structures within the cluster and can be accessed using various client implementations. When designing a cluster, it’s required to allow network based communication between cluster nodes for this API. It’s critical that the API cannot be accessed by an unauthorized party, therefor a unique group-name shall be shared between all cluster nodes. This group name has to be treated confidentially as it allows joining the cluster group and fetching data if no further hardening is performed.

Additional hardening can be achieved by port filtering or dedicated network segments for cluster nodes. The Hazelcast API is listening at 5701/tcp at localhost by default and all relevant settings can be configured at hazelcast.properties.

By default, communication for discovery and cluster activity is not encrypted so the clusters group-name gets exposed. An attacker might tap into the network and look for such communication to identify OX App Suite machines and intercept or inject shared cluster data, for example session information. It is possible to encrypt Hazelcast communication via configuration, but that feature is only supported with the enterprise version of Hazelcast. Bundles for the enterprise version are not accessible for the community. Moreover the enterprise version needs an additional license key, that must be obtained from Hazelcast, Inc. The enterprise version may be plugged-in if desired. If so, symmetric encryption or encryption via TLS/SSL can be enabled. The enterprise version may be plugged-in if desired.

For a full feature and property overview please visit https://documentation.open-xchange.com/7.10.1/middleware/components/hazelcast/hazelcast_encryption.html.

Distributed Session Storage

To ensure continuous operation for end-users, even in the event of server failure, sessions can be distributed within a cluster of OX App Suite nodes. This requires the corresponding bundle to be installed. Session objects (containing information like session IDs, username, password, user agent, client IP etc.) are transferred to a Hazelcast based network distributed storage that is accessed by all machines within a cluster.

Passwords get encrypted using a static key and symmetric encryption. The encryption key can be found at sessiond.properties and needs to be equal for all cluster nodes and should be customized for each installation. In any event, the default key must be modified to ensure protection of the session password while in transit. Other information within the session object is transferred as plain text. This potentially allows information gathering or injecting modified session objects to open up further attack vectors. Remote management of OSGI-Events uses the same communication channel. This kind of data is less critical in terms of user data but may be used to influence availability and stability of the system.

Distributed File Management

The OX App Suite middleware is capable of maintaining temporary files, which are accessible only within one middleware node. To extend this for the whole cluster the bundles com.openexchange.filemanagement.distributed and com.openexchange.filemanagement.distributed.servlet are available in the package open-xchange-file-distribution. These bundles extend the basic file management to provide temporary files independent of the initial node. The communication between these nodes is based on a default servlet mechanism (path: /distributedFiles). This servlet is accessible without a session. The port is the default servlet port configured for the cluster. Files are masked with a random UUID which is only used for internal communication and stored in a Hazelcast map.

Potential Security Risk: With knowledge of the correct node and the file-ID (which is never propagated outside the cluster) an attacker might be able to access temporary stored files.