Securing the Tomcat Layer

One critical MUST-DO for any OpenMRS Implementation: Ensure no default passwords are in use (such as “Admin123”).

This is true for your Tomcat layer as well. Check to ensure you are not using the default password. You should be using a unique, strong password.

OpenMRS's underlying tomcat layer provides several configurable options to enhance security.

Run Tomcat In a Low-Privileged Context

Running tomcat as a low-privileged process (i.e. not with "root" or "administrator" permissions) is the easiest and most important step in securing the underlying tomcat server. This step prevents attackers who are able to compromise tomcat from being able to take over the entire system. This may protect the system from falling victim to ransomware attacks, which often require full administrative permissions on the operating system.

Disabling Default Tomcat Pages

Most OpenMRS implementations have no use for the default tomcat documentation, examples, and management apps that come bundled with the tomcat server. If they aren't serving a purpose, they are unnecessarily increasing the implementation's attack surface. To remove them, find the tomcat directory, and under tomcat-dir/webapps/, delete the following folders:

docs examples host-manager manager

Protect Cookies with "Secure" and "HTTP-Only" Flags

Tomcat can be configured to better guard cookies, which contain sensitive authentication information. The "Secure" flag configures tomcat to only send cookies over encrypted channels (like a TLS connection). The "HTTP-Only" flag prevents client-side scripts from accessing cookies (e.g. through XSS).

To enable these features, ensure that the following config is present in tomcat's web.xml:

<cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config>