Vous êtes sur la page 1sur 59

Monitoring Intellinx

for TBANK

May 23, 2016


Notice: While reasonable effort was made to ensure that the information in this document was
complete and accurate at the time of writing. Changes and/or corrections to the information
contained in this document may be incorporated into future issues.
All text and figures included in this publication are the exclusive only for Thanachart Bank. This
document also contains registered trademarks and service marks that are owned by their
respective companies or organizations.

TABLE OF CONTENTS
VERSION CONTROL......................................................................................1
INTRODUCTION............................................................................................2
INTELLINX SYSTEM CONFIGURATIONS ENCRYPTION....................................3
FIRST

TIME PASSWORD APPLY TO THE CONFIGURATION FILE....................................4

APPLY AUTHENTICATION TO INTELLINX SYSTEM..........................................9


INTELLINX SERVER ENCRYPTION ACTIVATION............................................14
APPLY

ENCRYPTION TO THE

DATA CHANNELS....................................................22

INVESTIGATION CENTER CONFIGURATION DB PASSWORD ENCRYPTION...23


GENERATE A MASTER KEY BASED ON A GIVEN PASSWORD....................................23
ENCRYPT A PASSWORD USING THE GENERATED MASTER KEY.................................24
WEB TUNNEL SSL ENCRYPTION APPLY.......................................................28
WEB REPLAY ENCRYPTION.........................................................................29
INVESTIGATION CENTER WEB ENCRYPTION...............................................31
EXPORT / IMPORT CERTIFICATION..............................................................33
EXPORT CERTIFICATION.................................................................................33
IMPORT CERTIFICATION..................................................................................37
DISABLE JAVASCRIPT DEBUGGING NOTIFICATION......................................44

LIST OF FIGURES
Figure 1: First time password 1..................................................4
Figure 2: First time password 2..................................................4
Figure 3: First time password 3..................................................5
Figure 4: First time password 4..................................................5
Figure 5: First time password 5..................................................6
Figure 6: First time password 6..................................................7
Figure 7: First time password 7..................................................8
Figure 8: Authentication setup 1................................................9
Figure 9: Authentication setup 2..............................................10
Figure 10: Authentication setup 3............................................10
Figure 11: Authentication setup 5............................................11
Figure 12: Authentication setup 6............................................12
Figure 13: Authentication setup 7............................................13
Figure 14: Authentication setup 8............................................13
Figure 15: Setup the encryption and sign are explain 1...........14
Figure 16: Setup the encryption and sign are explain 2...........15
Figure 17: Setup the encryption and sign are explain 3...........15
Figure 18: Setup the encryption and sign are explain 4...........15
Figure 19: Setup the encryption and sign are explain 5...........17
Figure 20: No keyset apply is not allow to Activate Service.....18
Figure 21: Setup the encryption and sign are explain 6...........19
Figure 22: Setup the encryption and sign are explain 7...........20
Figure 23: Setup the encryption and sign are explain 8...........20
Figure 24: Setup the encryption and sign are explain 9...........21
Figure 25: DC encrypt 1...........................................................22
Figure 26: DC encrypt 2...........................................................22
Figure 27: Generating master key for the database password 1
................................................................................................ 23

ii

Figure 28: Generating master key for the database password 2


................................................................................................ 23
Figure 29: Generating master key for the database password 3
................................................................................................ 23
Figure 30: Setup the encryption for the database password 1. 24
Figure 31: Setup the encryption for the database password 2. 24
Figure 32: Setup the encryption for the database password 3. 24
Figure 33: Setup the encryption for the database password 4. 25
Figure 34: Setup the encryption for the database password 5. 25
Figure 35: Master key file path................................................26
Figure 36: Starting the Investigation Center Service................27
Figure 37: Web tunnel ssl encryption apply 1..........................28
Figure 38: Web tunnel ssl encryption apply 2..........................28
Figure 39: WebReplay SSL 1....................................................29
Figure 40: WebReplay SSL 2....................................................30
Figure 41: WebReplay SSL 3....................................................30
Figure 42: Investigation Center SSL 1......................................31
Figure 43: Investigation Center SSL 2......................................31
Figure 44: Investigation Center SSL 3......................................32
Figure 45: Export certificate 1.................................................33
Figure 46: Export certificate 2.................................................34
Figure 47: Export certificate 3.................................................34
Figure 48: Export certificate 4.................................................35
Figure 49: Export certificate 5.................................................35
Figure 50: Export certificate 6.................................................36
Figure 51: Export certificate 7.................................................36
Figure 52: Export certificate 8.................................................37
Figure 53: Import certificate 1.................................................37
Figure 54: Import certificate 2.................................................38
Figure 55: Import certificate 3.................................................38
Figure 56: Import certificate 4.................................................39
Figure 57: Import certificate 5.................................................39
iii

Figure 58: Import certificate 6.................................................40


Figure 59: Import certificate 7.................................................40
Figure 60: Import certificate 8.................................................41
Figure 61: Import certificate 9.................................................41
Figure 62: Import certificate 10...............................................42
Figure 63: Import certificate 11...............................................42
Figure 64: Import certificate 12...............................................43
Figure 65: Import certificate 13...............................................43
Figure 66: Disable JavaScript Debugging Notification 1...........44
Figure 67: Disable JavaScript Debugging Notification 2...........45

iv

Export / Import certification

Version Control
Versi
on

Date

0.1

Aug
2015

0.2

0.3

0.4

0.5

Author\Editor
26, Thonthep K.

Purpose of update
Initial Draft

Udorn D.

Aug 27,
2015

Thonthep K.

Aug 28,
2015

Thonthep K.

Sep 4,
2015

Thonthep K.

Apr 8, 2016

Thonthep K.

- Added picture from ATM production.


- Changed path of files needed.
- Changed picture to match the detail.
- Updated information.
- Changed IP address to Server name.
- Rearrange some encryption steps.
- Added CDS and HP environment
path.
- Added SIT and UAT environment
path.

0.6

May 23,
2016

Thonthep K.

- Change detail in Web Tunnel SSL


encryption about parameter using in
keytool.exe to create keystore.jks
- Added Export / Import certification
for Trusted Root Certification
Authorities method
- Added Disable JavaScript Debugging
Notification method

TBANK Security Intellinx System V0.6

Export / Import certification

TBANK Security Intellinx System V0.6

Export / Import certification

Introduction
There are several related ways to implement Intellinx System with the strong
security enforces. In order to run the system, the most important information for
the organization needed to be applied in the many ways of secured methodology.
Information security is the infrastructure to make Intellinx system secure. The
following security setup and configuration in Intellinx TBANK fraud system has
been implemented.

Intellinx System configurations encryption


Apply Authentication to Intellinx System
Intellinx server encryption activation
Investigation center configuration database password encryption
Web Replay encryption
Investigation Center Web encryption

This document lists are prepared for TBANK configuration installed for the
ATM Fraud production environment.

TBANK Security Intellinx System V0.6

Export / Import certification

Intellinx system configurations encryption


The Intellinx system has protected server configuration file by default, the
password is a mandatory to apply for encryption the parameters inside the xml
file. After installation of Intellinx System process, while running Intellinx
Enterprise Manager for the first time it will be asking for the initialize encryption
password.
The configuration file for the server services has been located on the following
directory:
Production environment
CDS-HP Sensor server TBFRDSSPRD1
D:\Intellinx\Server\servers\itxsvc_ss_CDS_2348\conf\server-config.xml
D:\Intellinx\Server\servers\itxsvc_ss_HP_2358\conf\server-config.xml
D:\Intellinx513\Server\servers\HPapp_2468\conf\server-config.xml
CDS-HP Analyser server TBFRDAZPRD1
D:\Intellinx\Server\servers\itxsvc_dc_cds_2558\conf\server-config.xml
D:\Intellinx\Server\servers\itxsvc_dc_hp_2468\conf\server-config.xml
D:\Intellinx\Server\servers\itxsvc_bl_2549\conf\server-config.xml
(Backlog) *
D:\Intellinx\Server\servers\itxsvc_bl_2378\conf\server-config.xml
Engine)

(Rule

ATM Sensor server TBFRATMSSPRD


D:\Intellinx\Server\servers\itxsvc_ss_atm\conf\server-config.xml
ATM Data Channel server TBFRDAZPRD1
F:\IntellinxATM\Server\servers\itxsvc_dc_atm_2529\conf\serverconfig.xml
F:\IntellinxATM\Server\servers\itxsvc_bl_2549\conf\server-config.xml *
*CDS-HP and ATM are now using same Backlog service after migration.
SIT environment
Sensor and Analyzer server TBFRDSSAZDR1
E:\Intellinx5\Server\servers\itxsvc_atm_sit_2448\conf\server-config.xml
E:\Intellinx5\Server\servers\itxsvc_cdshp_sit_2668\conf\server-config.xml
E:\Intellinx5\Server\servers\itxsvc_re_2648\conf\server-config.xml
E:\Intellinx5\Server\servers\itxsvc_re_job_2658\conf\server-config.xml
UAT environment
Sensor and Analyzer server TBFRDSSAZDR1
E:\Intellinx5\Server\servers\itxsvc_atm_uat_2549\conf\server-config.xml

TBANK Security Intellinx System V0.6

Export / Import certification


E:\Intellinx5\Server\servers\itxsvc_cdshp_uat_2778\conf\serverconfig.xml
E:\Intellinx5\Server\servers\itxsvc_re_uat_2748\conf\server-config.xml
E:\Intellinx5\Server\servers\itxsvc_re_job_2888\conf\server-config.xml

TBANK Security Intellinx System V0.6

Export / Import certification

First time password apply to the configuration file


After installation open the Enterprise Manager to manage the Intellinx
server service instance by default it will be asking for the password to provide an
encryption of the important values in the server-config.xml file. Follow these
steps to create an encryption.
1. Enter initial password.

Figure 1: First time password 1

2. After entering password, click OK.

Figure 2: First time password 2

TBANK Security Intellinx System V0.6

Export / Import certification

3. Click OK again.

Figure 3: First time password 3

3.1You can find server-config.xml which in this following path


D:\Intellinx\Server\servers\itxsvc_dc_atm\conf

Figure 4: First time password 4

TBANK Security Intellinx System V0.6

Export / Import certification

3.2The system configuration key files for encryption are located in this
path:
D:\Intellinx\Server\servers\itxsvc_dc_atm\security\keysets
File name: sys_conf_key.xml

Figure 5: First time password 5

TBANK Security Intellinx System V0.6

Export / Import certification


4. If the Administrator would like to change the password for a new
encryptiton key, follow these instructions. then go to server property on
the Encryption tab click on the button Change Configuration Password.
Type in the old password and the new password that will be apply and click
OK.
4.1Go to Server Configuration on the Encryption tab click on the
button Change Configuration Password

Figure 6: First time password 6

TBANK Security Intellinx System V0.6

Export / Import certification


4.2Enter Old password and new password, then click OK.

Figure 7: First time password 7

TBANK Security Intellinx System V0.6

Export / Import certification

Apply Authentication to Intellinx System


Intellinx system support varieties of the authentication mechanism by
default it does not required for any authentication for the beginning use. Its
needed to define the security authentication after installation by setting to the
Authentication configuration. After applying config need to be aware that
Intellinx system has tight authentication services dedicatly. Then before applying
it needs to be done at the beginning because if its been broken from any reason
you will not have a way to reverse back to the native state.

Figure 8: Authentication setup 1

TBANK Security Intellinx System V0.6

Export / Import certification


On the Authentication setup it need to be prepare for those of parameters
on the above screen to apply to the right values and ensure that finally
succeeded to restart and running system in the correct situation.

Figure 9: Authentication setup 2

The Authentication server has a choice for the Apache Directory Service ,
Open Ldap, Microsoft Active Directory etc. To provide the user authentication
security binding to the Intellinx system.

Figure 10: Authentication setup 3

TBANK Security Intellinx System V0.6

Export / Import certification


The information about production configuration was applied to Intellinx
binding with the Microsoft Active Directory service of the TBANK infrastructure.

Figure 11: Authentication setup 5

TBANK Security Intellinx System V0.6

Export / Import certification


There are consideration for the Investigation Center workflow that will run
to service as a mainly investigation process workflow. To consider in order to
know about the organization the Investigation peoples can let IC refer to the
TBANK users profile center that is based on MSAD. On the other hand it is the
user authentication it can track in a way of the same as normal working on the
most of existing users have. This configuration can be configured in
InvestigationCenter.xml
file
in
path
D:\Intellinx\IC\InvestigationCenter\Appserver\conf\Catalina\localhost

Figure 12: Authentication setup 6

TBANK Security Intellinx System V0.6

Export / Import certification


The MS Active Directory requires for some parameter has been provide
from the support. The MS AD server is point to TBKDCAD02 with comunication
on port 389.
The user for lookup the user list for binding is using itx_lookup that
created for Intellinx usage with the non-expirable password.
User base: = OU=Thanachart Users, DC=THANACHART GROUP,
DC=COM
Group base: = OU=Thanachart Users, DC=THANACHART GROUP,
DC=COM
User attribute in group = member

Figure 13: Authentication setup 7

TBANK Security Intellinx System V0.6

Export / Import certification


Figure 14: Authentication setup 8

TBANK Security Intellinx System V0.6

Export / Import certification

Intellinx server encryption activation


Intellinx maintain the sensitive data by using security of data encryption
and digital signature. Intellinx provides the means to encrypt and sign recorded
data as well as encrypt the data transfer between the different Intellinx components. For
encryption and decryption procedures Intellinx uses the 128bit AES algorithm.
For recording signature procedures, Intellinx uses RSA with MDS.
In case of TBANK configuration the data transfer between Sensor and Intellinx Data
Channel has not encrypt because of the communication is only base on locally network
between 2 servers internally and make it less consume the process between them.
For the final data stage that will write down session data to the Backlog Database has
been enablement in the Data Channels including of ATMBase24DataChannel,
Base24CBSDataChannel, ISO8583EBCIDICDataChannel and ITMXDataChannel.

The procedure to setup the encryption and sign are explain below:
Intellinx provide a utility for generate the encryption key that conform to
the standard algorithms. To generate the file called utility Key Set by running the
command by the following step.
1) Run "D:\Intellinx\Server\tools\KeysetUtil.bat"
The installation directory on production is D:\Intellinx\Server
2) Choose 1: Generate a new keyset

Figure 15: Setup the encryption and sign are explain 1

TBANK Security Intellinx System V0.6

Export / Import certification


3) Select the server directory to place the file that generates from the keyset
utility. In this case press 1 to choose destination for itxsvc_dc_atm

Keysets directory selection:


1. D:\Intellinx\Server\servers\itxsvc_dc_atm\security\keysets
Choose from the above list the keysets directory or type a specific directory
path: 1
Figure 16: Setup the encryption and sign are explain 2

Going to generate a keyset in


D:\Intellinx\Server\servers\itxsvc_dc_atm\security\keysets
Enter Y or press Enter to confirm action, or enter X to exit: Y

4) Confirm action by press Y on keyboard and press Enter.


Figure 17: Setup the encryption and sign are explain 3

TBANK Security Intellinx System V0.6

Export / Import certification


5) Keyset is generated.

2015.08.25 14:16:12.848 |INFO | Loading Key Provider


2015.08.25 14:16:12.848 |WARN | No keyset found at
D:\Intellinx\Server\servers\itxsvc_dc_atm\ security\keysets
2015.08.25 14:16:12.848 |WARN | Key Provider is loaded but no current keyset
defined
2015.08.25 14:16:12.848 |INFO | Generating new keyset
2015.08.25 14:16:12.848 |INFO | Encrypting key size 128, Signature key size
-1,024
2015.08.25 14:16:12.848 |INFO | Successfully generated new keyset 5352F216D27F-3C73-0690-C8D25E35D114
Press any key to continue . . .
Figure 18: Setup the encryption and sign are explain 4

TBANK Security Intellinx System V0.6

Export / Import certification


On another server services need to do manually copy from the
previous one to all other server services.
Production environment
For ATM Sensor Service (TBFRATMSSPRD) :
"D:\Intellinx\Server\servers\itxsvc_ss_atm\security\keysets\current_key_set"
"D:\Intellinx\Server\servers\itxsvc_ss_atm\security\keysets\5352F216-D27F-3C730690C8D25E35D114"

For CDS-HP Sensor Service (TBFRDSSPRD1) :

"D:\Intellinx\Server\servers\itxsvc_ss_CDS_2348\security\keysets\current_key_set"
"D:\Intellinx\Server\servers\itxsvc_ss_CDS_2348\keysets\5352F216-D27F-3C730690C8D25E35D114"
"D:\Intellinx\Server\servers\itxsvc_ss_HP_2358\security\keysets\current_key_set"
"D:\Intellinx\Server\servers\itxsvc_ss_HP_2358\keysets\5352F216-D27F-3C730690C8D25E35D114"
"D:\Intellinx513\Server\servers\HPapp_2468\security\keysets\current_key_set"
"D:\Intellinx513\Server\servers\HPapp_2468\keysets\5352F216-D27F-3C730690C8D25E35D114"

For CDS-HP Analyzer Service (TBFRDAZPRD1) :


"D:\Intellinx\Server\servers\itxsvc_dc_cds_2558\security\keysets\current_key_set"
"D:\Intellinx\Server\servers\itxsvc_dc_cds_2558\security\keysets\5352F216-D27F3C73-0690C8D25E35D114"
"D:\Intellinx\Server\servers\itxsvc_dc_hp_2468\security\keysets\current_key_set"
"D:\Intellinx\Server\servers\itxsvc_dc_hp_2468\security\keysets\5352F216-D27F3C73-0690C8D25E35D114"
"D:\Intellinx\Server\servers\itxsvc_bl_2378\security\keysets\current_key_set"
"D:\Intellinx\Server\servers\itxsvc_bl_2378\security\keysets\5352F216-D27F-3C730690C8D25E35D114"
"D:\Intellinx\Server\servers\itxsvc_ss_atm\security\keysets\current_key_set"
"D:\Intellinx\Server\servers\itxsvc_ss_atm\security\keysets\5352F216-D27F-3C730690C8D25E35D114"

For Backlog Service (TBFRDAZPRD1 - CDS-HP & ATM BacklogWriter


and Viewer):
D:\Intellinx\Server\servers\itxsvc_bl_2549\security\keysets\current_key_set
D:\Intellinx\Server\servers\itxsvc_bl_2549\security\keysets\5352F216-D27F3C73-0690-C8D25E35D114

SIT environment (TBFRDSSAZDR1)

"E:\Intellinx5\Server\servers\itxsvc_atm_sit_2448\security\keysets\current_key_set
"
"E:\Intellinx5\Server\servers\itxsvc_atm_sit_2448\security\keysets\5352F216D27F-3C73-0690C8D25E35D114"
"E:\Intellinx5\Server\servers\itxsvc_cdshp_sit_2668\security\keysets\current_key_s
et"
"E:\Intellinx5\Server\servers\itxsvc_cdshp_sit_2668\security\keysets\5352F216D27F-3C73-0690C8D25E35D114"
"E:\Intellinx5\Server\servers\itxsvc_re_2648\security\keysets\current_key_set"
"E:\Intellinx5\Server\servers\itxsvc_re_2648\security\keysets\5352F216-D27F3C73-0690C8D25E35D114"
"E:\Intellinx5\Server\servers\itxsvc_re_job_2658\security\keysets\current_key_set"
"E:\Intellinx5\Server\servers\itxsvc_re_job_2658\security\keysets\5352F216-D27F3C73-0690C8D25E35D114"

UAT environment (TBFRDSSAZDR1)

"E:\Intellinx5\Server\servers\itxsvc_atm_uat_2549\security\keysets\current_key_se
t"
"E:\Intellinx5\Server\servers\itxsvc_atm_uat_2549\security\keysets\5352F216D27F-3C73-0690C8D25E35D114"
"E:\Intellinx5\Server\servers\itxsvc_cdshp_uat_2778\security\keysets\current_key_
set"

TBANK Security Intellinx System V0.6

Export / Import certification


"E:\Intellinx5\Server\servers\itxsvc_cdshp_uat_2778\security\keysets\5352F216D27F-3C73-0690C8D25E35D114"
"E:\Intellinx5\Server\servers\itxsvc_re_uat_2748\security\keysets\current_key_set"
"E:\Intellinx5\Server\servers\itxsvc_re_uat_2748\security\keysets\5352F216-D27F3C73-0690C8D25E35D114"
"E:\Intellinx5\Server\servers\itxsvc_re_job_2888\security\keysets\current_key_set"
"E:\Intellinx5\Server\servers\itxsvc_re_job_2888\security\keysets\5352F216-D27F3C73-0690C8D25E35D114"

6) Open the Enterprise Manager and then double click on the server for
example itxsvc_dc_atm you will get to the Server Configuration, click
on the Encryption tab.

2
1

Figure 19: Setup the encryption and sign are explain 5

TBANK Security Intellinx System V0.6

Export / Import certification


6.1) In case of the keyset is not generated and place to the
directory the system will be shown as follows in Figure 20 and this
message appear There is no keyset defined on the Server, encryption
cannot be used.

Figure 20: No keyset apply is not allow to Activate Service

TBANK Security Intellinx System V0.6

Export / Import certification


6.2) When keyset is applied to the server service directory, restart
that service. It will show as picture below that the Activate Service is
allow to turn it on.

Figure 21: Setup the encryption and sign are explain 6

TBANK Security Intellinx System V0.6

Export / Import certification


7) Checked on Activate Service and click OK

Figure 22: Setup the encryption and sign are explain 7

8) Click OK

Figure 23: Setup the encryption and sign are explain 8

TBANK Security Intellinx System V0.6

Export / Import certification


9) After activating the encryption service the server service itxsvc_dc_atm
will be asking for restart to apply the keyset as on the next time running.

Figure 24: Setup the encryption and sign are explain 9

TBANK Security Intellinx System V0.6

Export / Import certification

Apply encryption to the Data Channels


When the itxsvc_dc_atm server service has been restarted this server
service will allow turning on the Encrypt recordings and Sign recordings of the
Data Channel. (In this case is an example of ATMBase24DataChannel)

Figure 25: DC encrypt 1

Under the Recording tab click on the Encrypt recording and Sign
recording check boxes and then click OK for apply then restart the
DataChannel.

Figure 26: DC encrypt 2

All DataChannel has been applied to this keyset and enable the encryption
data that finally writing down to the BackLog Database. Sessions data are

TBANK Security Intellinx System V0.6

Export / Import certification


keeping secure and can only playback from the system that has this keyset
config.

TBANK Security Intellinx System V0.6

Export / Import certification

Investigation Center Configuration DB


password encryption
Investigation Center Web application has the configuration file by default that
is InvestigationCenter.xml and this file are store the Database connection
including user and password. Intellinx has been provided the Database Password
Encryption Tool that is used to create more effective password protection by
using the Triple DES encryption algorithm within the InvestigationCenter.xml file.
The tool has two main functions:
- Generate a master key based on a given password
- Encrypt a password using the generated master key
Using these two functions ("generate" and "encrypt") results in an encrypted
password that replaces the plain text passwords available by default in the
InvestigationCenter.xml file.

Generate a master key based on a given password


To generate master key file, follow these steps
1. Go to command line and navigate to
D:\Intellinx\IC\InvestigationCenter\setup\password-encryption

Figure 27: Generating master key for the database password 1

2. Type PasswordEncryptionTool generate p xxxx (Where xxxx = your


password.)

Figure 28: Generating master key for the database password 2

3. After that, press Enter and it will show that master key file generated
successfully as follows.

TBANK Security Intellinx System V0.6

Export / Import certification


Figure 29: Generating master key for the database password 3

Encrypt a password using the generated master key


To use master key file, follow these steps
1. Go to command line and navigate to
D:\Intellinx\IC\InvestigationCenter\setup\password-encryption

Figure 30: Setup the encryption for the database password 1

2. Type PasswordEncryptionTool encrypt p xxxx (Where xxxx = your


password.)

Figure 31: Setup the encryption for the database password 2

3. After that, press Enter and it will show that master key file generated
successfully as follows. The password shown in No.1 will be used up
next.

Figure 32: Setup the encryption for the database password 3

TBANK Security Intellinx System V0.6

Export / Import certification


4. Apply master key file to the Intellinx Investigation Center server file
located on path:
D:\Intellinx\IC\InvestigationCenter\Appserver\conf\Catalina\localhost\In
vestigationCenter.xml
At first, database password is still plain text as shown in picture below.

Figure 33: Setup the encryption for the database password 4

5. Use this encrypted password from Figure 31 earlier:


enc:AAAAHDAaBBSH0kYgz62pdL+F3HWd5KzAswiJEAICBAAAAAAI0a1a
7Kw7r6M=
(Note: This password will not be the same for each time you created
new master key.)
Then replace the plain text password shown in Figure 32 with the
encrypted password that mentioned earlier.

Figure 34: Setup the encryption for the database password 5

TBANK Security Intellinx System V0.6

Export / Import certification

6. Copy the master key encryption file .masterkey under this path
D:\Intellinx\IC\InvestigationCenter\Appserver\conf\

Figure 35: Master key file path

TBANK Security Intellinx System V0.6

Export / Import certification


7. Stop itx_ic_investigationcenter Service and then start again.
Investigation Center service will be applied to encrypt password in the
InvestigationCenter.xml after it started.

Figure 36: Starting the Investigation Center Service

TBANK Security Intellinx System V0.6

Export / Import certification

Web tunnel SSL encryption apply


There are 2 components of Intellinx that service to the end user by access
from the http/https protocol including
1. Intellinx Web Replay : To provide a session replay that was record from
the Backlog DB.
2. Investigation Center Web : To provide web portal workflow for the case
investigation.
To make those components secure communication between end user and
server services Intellinx need a JavaKeyStore or PKCS12 keys for the encryption
communication tunnel. In the way of Java Intellinx using the Java standard
keytool name keytool.exe to do generate key file. This tool coming with Java on
the D:\Intellinx\Jre\bin\.
The step to generate the key encryption done by the following command and
input the password.
Keytool -genkey -keyalg RSA -alias itx_key -keystore keystore.jks -dname
"CN=TBFRATMICPRD, OU=IT Security Division, O=Thanachart Group, L=Bangkok,
C=TH" -validity 10000 -keysize 2048
Enter keystore password:
Figure 37: Web tunnel ssl encryption apply 1

The keystore file will be create after put the enter the password.
25/08/2015 02:57 PM
1,264 keystore.jks

Figure 38: Web tunnel ssl encryption apply 2

TBANK Security Intellinx System V0.6

Export / Import certification

Web Replay encryption


To encrypt the Web Replay, follow these instructions.
1. Apply keystore file to the web replay by opening the Enterprise
Manager and click on Web Server tab.

Figure 39: WebReplay SSL 1

TBANK Security Intellinx System V0.6

Export / Import certification


2. Checked on the Activate Service. Then change the Web Server
Protocol to HTTPS and select the Key store type value JKS. After
that, set the file path on the Key store file:. Finally, enter the
password on the Key store password.

Figure 40: WebReplay SSL 2

3. Click OK

Figure 41: WebReplay SSL 3

After applying the parameters for the encrytion Web Replay service then
restart the server service. The service will be applied to the itxsvc_bl on the
ATM production server.

TBANK Security Intellinx System V0.6

Export / Import certification

Investigation Center Web encryption


Apply the keystore file to the Intellinx Investigation Center Web portal to
secured the communication between server and enduser. The Investigation
Configuration file is base on Tomcat server.xml located under the
D:\Intellinx\IC\InvestigationCenter\Appserver\conf\ for production.

Figure 42: Investigation Center SSL 1

In order need to be remove comment begin <!-- and end --> then add
new lines and put the parameter as follow:
1. keystoreFile = "D:\Intellinx\Security\keystore.jks
2. keystorePass = "xxxxxx"
3. keyAlias = "itx_key"

Figure 43: Investigation Center SSL 2

TBANK Security Intellinx System V0.6

Export / Import certification


After saving the file need to be restart the itx_ic_investigattioncenter
service.

Figure 44: Investigation Center SSL 3

TBANK Security Intellinx System V0.6

Export / Import certification

Export / Import certification


When we use new keystore, certification is still not trusted from system
and will result in security error (although it didnt impact on application process).
Therefore we need to import certification to system by following these steps
1. Export certification from URL of Investigation Center that is untrusted.
2. Import certification back to the system again by configuring as trusted
certification.

Export certification
1. Click on Certificate Error and select View certificates

Figure 45: Export certificate 1

TBANK Security Intellinx System V0.6

Export / Import certification


2. Click on Details tab and select Copy to File

Figure 46: Export certificate 2

3. Click Next

Figure 47: Export certificate 3

TBANK Security Intellinx System V0.6

Export / Import certification


4. Select DER encoded binary X.509 (.CER) and click Next

Figure 48: Export certificate 4

5. Click Browse for choosing file path

Figure 49: Export certificate 5

TBANK Security Intellinx System V0.6

Export / Import certification


6. Click Next after file path has been selected

Figure 50: Export certificate 6

7. Click Finish

Figure 51: Export certificate 7

TBANK Security Intellinx System V0.6

Export / Import certification


8. Click OK to complete exporting certificate

Figure 52: Export certificate 8

Import certification
1. Click Start > type certmgr.msc
certmgr.msc that showed up

TBANK Security Intellinx System V0.6

in

search

panel

and

select

Export / Import certification


Figure 53: Import certificate 1

TBANK Security Intellinx System V0.6

Export / Import certification


2. Expand Trusted Root Certification Authorities > Certificates > All
tasks > Import

Figure 54: Import certificate 2

3. Click Next

TBANK Security Intellinx System V0.6

Export / Import certification


Figure 55: Import certificate 3

TBANK Security Intellinx System V0.6

Export / Import certification


4. Click Browse for choosing file path

Figure 56: Import certificate 4

5. Select certificate file (in this case its the same file from previous
chapter)

TBANK Security Intellinx System V0.6

Export / Import certification


Figure 57: Import certificate 5

TBANK Security Intellinx System V0.6

Export / Import certification


6. Click Next after file path has been selected

Figure 58: Import certificate 6

7. Select Place all certifications in the following store and click Browse

Figure 59: Import certificate 7

TBANK Security Intellinx System V0.6

Export / Import certification


8. Select Show physical stores

Figure 60: Import certificate 8

9. Expand Trusted Root Certification Authorities

Figure 61: Import certificate 9

TBANK Security Intellinx System V0.6

Export / Import certification


10.Select Local Computer and click OK

Figure 62: Import certificate 10

11.Certificate store path should have Local Computer in the end and
click Next

TBANK Security Intellinx System V0.6

Export / Import certification


Figure 63: Import certificate 11

TBANK Security Intellinx System V0.6

Export / Import certification


12.Click Finish

Figure 64: Import certificate 12

13.Click OK to complete importing certificate

Figure 65: Import certificate 13

TBANK Security Intellinx System V0.6

Export / Import certification

Disable JavaScript Debugging Notification


Usually, Microsoft Internet Explorer has JavaScript debugging enabled as
default setting to check if there are any errors in JavaScript thats running. But
sometimes JavaScript errors are caused by misplace syntax which it doesnt
affect any of applications processing. Therefore we can disable JavaScript
debugging notification for better experience usage by following these steps
1. Open Microsoft Internet Explorer web browser
2. At Menu bar, select Tools > Internet Options

Figure 66: Disable JavaScript Debugging Notification 1

TBANK Security Intellinx System V0.6

Export / Import certification


3. Go to Advance tab. Under Browsing section, uncheckmark Display
a notification about every script error. Click Apply and click OK

Figure 67: Disable JavaScript Debugging Notification 2

TBANK Security Intellinx System V0.6