Getting started securing your system
After installation, you must immediately take action to secure your IBM® Global High Availability Mailbox system.
The following aspects of security must be addressed immediately after installation.
- Password protection - note the master passphrase for Global Mailbox. For more information, see Changing the master passphrase. The master passphrase that is created during
installation and is enabled by default secures access to sensitive properties by encryption. For
more information, see Securing passwords.Important: Only change the master passphrase if it is compromised. If the master passphrase is corrupted or not changed properly, this can have serious issues for the Global Mailbox system.
- Authentication security - When Global Mailbox is installed, a default administrator with an ID of admin is created and you must supply the password. Create a new administrator and delete the default one.
- Establish the appropriate user authentication, for roles and permissions. Global Mailbox enforces role-based authorization for system administrators. Permissions for mailboxes control the actions that a specific user can perform on a mailbox. For more information, see Administering users and Administering user permissions.
- Secure the communication between the browser and Global Mailbox. The Global Mailbox administrator password is sent in clear text to the server during login, so the login page must only be accessed by using HTTPS (SSL/TLS). For more information, see Securing communications and Securing with SSL. If the TLS/SSL configuration is changed in the server.xml file of one Global Mailbox node, the same changes must be made to the other Global Mailbox nodes in the cluster. This includes copying the keystore and truststore lines from the server where the changes were made to the other servers.
- Securing the communication between the Apache Cassandra cluster nodes with TSL/SSL. For more information, see Securing Apache Cassandra SSL connections
- Data in storage is not encrypted by default during installation. To enable encryption of data in storage, see Provisioning storage. It must be enabled before the system is put into service. There are significant performance implications for encrypting data in storage, but might be justified by the extra protection of the data.
- To configure Liberty to run in NIST, see Setting up a Liberty profile to run in SP800-131a. For changing Global Mailbox to NIST, see Securing with SSL.
- Secure the Cassandra JMX, the JMX user name and password must be configured in Cassandra and specified in global.properties. All Cassandra nodes must be configured with the same user name and password for JMX Security. For more information, see Securing Cassandra JMX.