Security folks and PHINMS

Phill Lowe

unread,

Dec 9, 2016, 7:32:42 PM12/9/16

to PHINMS User Community

We are going to use PHINMS to receive the messages from STEVE 2.0. this caused the security folks to look at it again and they are not happy about the JDK 6 and the older version of Tomcat that it runs on.

I was wondering if anyone has tried to run PHINMS on a new version of Tomcat and possibly the JDK as well. I am hoping that it will run well on something a bit newer so I can placate the security types for a couple of more years.

Preacher Man

unread,

Dec 10, 2016, 9:07:52 AM12/10/16

to phi...@googlegroups.com

Phil,

I've run it on a 7.x JDK. You have to tweak a few of its security setting. That fixed some bugs and introduced others. Things start getting ugly on a 8.x JDK. Of course Tomcat will have it's own idea about which JDK should be used.

In my opinion these types of updates don't actually do much for (internal) security. Appropriate firewalls, private subnets, secured servers and files systems, properly configured proxy services... these are the things that will actually protect an application like PHINMS. But I understand the "placate" factor (sigh).

Also keep in mind PHINMS makes use of several rather old jar libraries that have at least as much influence as the JDK/Tomcat does on security, and is still using triple DES as the primary payload encryption algorithm. That of course is coded into the application and independent of JDK, OS, etc.

Having coded both 'C' and Java PHINMS compatible applications, I like to think I understand a little bit about this stuff. But I would not consider myself a security expert. In any event there is code on GITHUB for anyone who cares to look under the hood - Phineas for 'C' coders and jPhineas for Java/Tomcat folk. Both projects are flat lined for lack of external interest, but if enough folk jumped in I would take either one back up.

jPhineas is actually about 95% complete, includes graphic monitoring (those nifty pie charts and graphs), and only needed digital signatures finished up and support for dB payloads added (those who have followed my posts know that my "religious" beliefs hold that files belong on the file system, NOT the data base

).

There used to be links on this forum and in CDC PHIN Conference presentations I've given for this stuff, but alas the UW switched my web hosting and they are forever broken. A simple GITHUB search gets you what you need however.

Good luck,

Tom

From: phi...@googlegroups.com <phi...@googlegroups.com> on behalf of Phill Lowe <philli...@doh.wa.gov>
Sent: Friday, December 9, 2016 6:32 PM
To: PHINMS User Community
Subject: Security folks and PHINMS

We are going to use PHINMS to receive the messages from STEVE 2.0. this caused the security folks to look at it again and they are not happy about the JDK 6 and the older version of Tomcat that it runs on.

I was wondering if anyone has tried to run PHINMS on a new version of Tomcat and possibly the JDK as well. I am hoping that it will run well on something a bit newer so I can placate the security types for a couple of more years.

--

---
You received this message because you are subscribed to the Google Groups "PHINMS User Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phinms+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Frans de Wet

unread,

Dec 10, 2016, 11:09:57 AM12/10/16

to phi...@googlegroups.com

We use PHINMS with Tomcat 7 + APR and JDK 8 on CentOS and Amazon Linux.

We have a zip based release that includes some fixes we had to make (for mysql etc).

Program is in /opt, configuration in /etc and logging in /var/log.

Seems to work well.

Thanks,
Frans

Preacher Man

unread,

Dec 10, 2016, 6:18:48 PM12/10/16

to phi...@googlegroups.com

Frans,

Could you expound on the nature/details of your "zip release" and "fixes"? Are these things people could manage from a standard CDC distribution? Are there published patches or instructions available? I imagine Phil would appreciate knowing if this was something he could practically expect to do himself given the resources available to him.

The last time I checked with CDC (admittedly a few years back), PHINMS could not be "freely distributed", either in original, partial, or derived form. I could probably dig up the email exchange if anyone wanted to see the exact request and CDC response.

My interest at the time was to provide a pre-configured PHINMS installer to clients rather than make them struggle through the client configuration for specific receivers. Similarly I might be inspired to post packages using newer JVM's and/or Web Containers were that allowed. That of course is what led me to write open sourced Phineas now on GITHUB.

Alas, the world has moved on and PHINMS appears to be at "end of life". It will be interesting to see exactly how long inertia carries it (and this group) forward.

cheers

Tom

From: phi...@googlegroups.com <phi...@googlegroups.com> on behalf of Frans de Wet <fra...@gmail.com>
Sent: Saturday, December 10, 2016 10:09 AM
To: phi...@googlegroups.com
Subject: Re: Security folks and PHINMS

Ray Humphrys

unread,

Dec 10, 2016, 6:28:55 PM12/10/16

to phi...@googlegroups.com

Not so fast with phinms' death. I'm a MTS beta tester and it's a ways off. Right now no real reason to switch unless you just want to use REST.

Eduardo Gonzalez Loumiet

unread,

Dec 10, 2016, 9:14:02 PM12/10/16

to phi...@googlegroups.com

I see PHINMS sticking around for at least another 3-5 yrs.

Eddie

ph...@eskimo.com

unread,

Dec 11, 2016, 12:33:24 AM12/11/16

to phi...@googlegroups.com

I would agree. Even if we were told everything is done and perfect with
MTS. It takes some states three years to get the funding, put out a bid,
choose a vendor and get the work done and approved for production. It
doesn't take much to stretch that out.

And I will have to run both until all of our partners are switched over.
That will require me to go to a number of small operations and help them
convert.

>> ------------------------------
>>
>>
>>
>> *From:* phi...@googlegroups.com <phi...@googlegroups.com> on behalf of
>> Frans de Wet <fra...@gmail.com>
>>
>>
>>
>> *Sent:* Saturday, December 10, 2016 10:09 AM
>>
>>
>>
>> *To:* phi...@googlegroups.com
>>
>>
>>
>> *Subject:* Re: Security folks and PHINMS

>> ------------------------------
>>
>>
>>
>> *From:*

>>
>>
>> phi...@googlegroups.com <phi...@googlegroups.com> on behalf of Phill
>> Lowe
>> <philli...@doh.wa.gov>
>>
>>
>>

>> *Sent:* Friday, December 9, 2016 6:32 PM
>>
>>
>>
>> *To:* PHINMS User Community
>>
>>
>>
>> *Subject:* Security folks and PHINMS

Ray

unread,

Dec 11, 2016, 5:29:06 AM12/11/16

to phi...@googlegroups.com

If you are a big-time message mover like labcorp/Mayo/RNR hubs why break what works?

If and when MTS is adopted by somebody, I'm sure phinms will be in my future for a long time.

Sent from my iGizmo

Preacher Man

unread,

Dec 11, 2016, 11:10:48 AM12/11/16

to phi...@googlegroups.com

All good points and I totally agree (hence PHINMS "inertia"). OTOH, CDC has said "no more PHINMS updates" and Phil (original post) has presented a real world issue that many folks will be forced to deal with. Who do your clients call when their server group say "move PHINMS to MS server 2013"? Whether real or perceived, they may not get 3-5 years to address their organizations or clients (updated) security requirements.

With the CDC focus on MTS there appears to be a growing "gap" in support for health messaging. Who and how do we go about addressing that as a community (as I was alluding to in my reply to Frans), and get real solutions to folks like Phil?

Tom

From: phi...@googlegroups.com <phi...@googlegroups.com> on behalf of Ray <hump...@gmail.com>
Sent: Sunday, December 11, 2016 4:29 AM
To: phi...@googlegroups.com
Subject: Re: Security folks and PHINMS

Google Groups

groups.google.com