Security

Complete

This page addresses various security related matters.

Database passwords

The database user name and password is configured via the toolbox configure command which stores the configuration in:

<OPENVPMS_HOME>/conf/openvpms.properties
 

When the database is created, these are used to create a corresponding MySQL database user.

If the database user name or password is changed*:

  • toolbox configure needs to be re-run to update the openvpms.properties file
  • toolbox war needs to be re-run to package the web application with the updated openvpms.properties
  • the openvpms.war file needs to be redeployed

* For information on setting the MSQL password see:

  https://dev.mysql.com/doc/refman/5.7/en/set-password.html

Administrator password

The default installation creates an OpenVPMS user named 'admin', with password 'admin'. This should be changed using either:

  • toolbox user --setpassword admin -p somestrongpassword
    
  • Administration - Users in the web application

User passwords

User passwords can be configured using:

  • toolbox user --setpassword admin -p somestrongpassword
    
  • Administration - Users in the web application

There is little restriction on what passwords may be entered, but it is recommended that strong passwords are used.

 

File permissions

The OpenVPMS and Tomcat installation directories should only be accessible to a single user with a strong password.

These directories contain files that could enable an attacker to gain access to the OpenVPMS web application, or the MySQL database.

Tomcat and HTTPS

For security, Tomcat should be configured to use HTTPS connections. These encrypt data travelling between the browser and web server.

See SSL/TLS Configuration HOW-TO in the Apache Tomcat documentation.

MySQL and SSL

The default openvpms.properties configuration disables SSL access to the MySQL database server by specifying useSSL=false in the JDBC connection string i.e.:

db.url = jdbc:mysql://localhost:3306/openvpms_dev?useSSL=false

To connect to a MySQL server securely, see Connecting Securely Using SSL in the MySQL documentation.