Personal tools

You are here: Home Support OMERO Platform v4 OMERO.server Security
 

Security

Firewall Configuration

Securing your OMERO system with so called firewalling or packet filtering can be done quite easily. By default, OMERO clients only need to connect to one TCP ports for communication with your OMERO.server: 4063 This is the IANA assigned port for the Glacier2 router from ZeroC. If you configure your server for SSL, then the preferred port will be 4064. Both of these values, however, are completely up to you.

Example OpenBSD firewall rules

block in log on $ext_if from any to <omero_server_ip>
pass in on $ext_if proto tcp from any to <omero_server_ip> port 4063
pass in on $ext_if proto tcp from any to <omero_server_ip> port 4064

Example Linux firewall rules

iptables -P INPUT drop
iptables -A INPUT -p tcp --dport 4063 -j ACCEPT
iptables -A INPUT -p tcp --dport 4064 -j ACCEPT
...

Passwords

The password hashes stored in the password table are generated equivalent to the command: 

$ echo -n "ome" | openssl md5 -binary | openssl base64
vvFwuczAmpyoRC0Nsv8FCw==

If the password for the root user were lost, the only way to reset it (in the absence of other admin accounts) would be to manually update the password table. 

$ PASS=`echo -n "ome" | openssl md5 -binary | openssl base64`

$ psql mydatabase -c " select * from password"
 experimenter_id |           hash           
-----------------+--------------------------
               0 | Xr4ilOzQ4PCOq3aQ0qbuaQ==
(1 row)

$ psql mydatabase -c "update password set hash = '$PASS' where experimenter_id = 0"
UPDATE 1

$ psql mydatabase -c " select * from password"
 experimenter_id |           hash           
-----------------+--------------------------
               0 | vvFwuczAmpyoRC0Nsv8FCw==
(1 row)

If you prefer, the bin/omero command can generate this update string for you: 

Please enter password for new OMERO root user: 
Please re-enter password for new OMERO root user: 
UPDATE password SET hash = 'vvFwuczAmpyoRC0Nsv8FCw==' WHERE experimenter_id = 0;
$

LDAP authentication

LDAP is an open standard for querying and modifying directory services that is commonly used for authentication, authorization and accounting (AAA). OMERO.server supports the use of an LDAP server to query (but not modify) AAA information for the purposes of automatic user (an Experimenter or Scientist in OMERO parlance) creation.

LDAP Configuration

Like many pieces of OMERO.server configuration, LDAP specific configuration is done by specifying properties via the bin/omero config set directive. The OMERO.server LDAP implementation is designed to handle three main use cases:

  1. Allow every inetOrgPerson under omero.ldap.base to login
  2. (1) but restrict access based upon membership in omero.ldap.groups
  3. (1) but restrict access based upon the entry's attributes matching omero.ldap.attributes and omero.ldap.values

If these uses do not suit your needs, please contact us regarding the creation of your own PasswordProvider.

Example

# Enable or disable LDAP (true/false)
bin/omero config set omero.ldap.config true

# LDAP server URL string
bin/omero config set omero.ldap.urls ldap://ldap.example.com:389

# LDAP server bind DN (if required; can be empty)
bin/omero config set omero.ldap.username cn=Manager,dc=example,dc=com

# LDAP server bind password (if required; can be empty)
bin/omero config set omero.ldap.password secret

# LDAP server base search DN 
bin/omero config set omero.ldap.base dc=example,dc=com

# The unique group CNs that the user must be a member of to be allowed access
# to OMERO (can be empty)
bin/omero config set omero.ldap.groups OmeroUsers

# Attributes, separated by ',', that users must have to be allowed access
# to OMERO (can be empty)
bin/omero config set omero.ldap.attributes omeroUser,accountEnabled

# Values, separated by ',', of the above 'omero.ldap.attributes' that must
# be fulfilled to be allowed access to OMERO (can be empty)
bin/omero config set omero.ldap.values true,true

NOTE: Please remember that once a change has been made to a server restart will be needed.

SSL

If you are going to use LDAP authentication to your server, then it is important to encrypt the transport channel between clients and the Glacier2 router. Support from the open-source project, however, is for the moment limited because of various possible difficulties.

Ice does go a long way to making configuration easy, and the IceSSL section of the manual will help you get started.

One possibility which has been initially tested is to configure both clients and the server to use ADH. At the moment, this requires providing your clients with special configuration files, but is fairly straight-forward.

Several properties must be set for the clients to work properly. Put these in a config file, here "ssl.config" and export that value to your environment: 

export ICE_CONFIG=$HOME/ssl.config

For Python: 

Ice.Default.Router=OMERO.Glacier2/router:ssl -p 4064 -h localhost
IceSSL.VerifyPeer=0
Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.Ciphers=ADH

For Java: 

Ice.Default.Router=OMERO.Glacier2/router:ssl -p 4064 -h localhost
IceSSL.VerifyPeer=0
Ice.Plugin.IceSSL=IceSSL.PluginFactory
IceSSL.DefaultDir=/home/<you>
IceSSL.Ciphers=NONE (DH_anon)

Three properties must also be set on the Glacier2Template in templates.xml: 

 <property name="Ice.Plugin.IceSSL" value="IceSSL:createIceSSL"/>
 <property name="IceSSL.Ciphers" value="ADH"/>
 <property name="IceSSL.VerifyPeer" value="0"/>

And finally, the "tcp -p 4063" setting in default.xml must be changed to "ssl -p 4064" (or any other port you wish to use).

Document Actions