Configuring security

A secure Global Mailbox system requires several configuration settings. Some security options are not enabled by default during installation. If your business requirements include these options, you must configure them.

During your configuration, the following aspects of security must be considered and addressed:

Communication

NIST or FIPS compliance

To configure Liberty to run in NIST, see Setting up a Liberty profile to run in SP800-131a.

For changing Global Mailbox to NIST, see Securing with SSL.

Cluster nodes

Each Global Mailbox node in the cluster must be individually configured for TLS/SSL.

If the TLS/SSL configuration is changed in the server.xml file of one Global Mailbox node, the same changes must be made to the other Global Mailbox nodes in the cluster. This includes copying the keystore and truststore lines from the server where the changes were made to the other servers. See Securing with SSL.

Apache Cassandra cluster

To restrict access to the server to trusted clients only, the connection between Global Mailbox and Cassandra must be secured. This is disabled by default. Enable it to secure the database server for the internal network. For information about this enabling it, see Securing Apache Cassandra SSL connections.

Data encryption

Storage

Data in storage is not encrypted by default during installation. To enable encryption of data in storage, see Provisioning storage. It must be enabled before the system is put into service. There are significant performance implications for encrypting data in storage, but might be justified by the extra protection of the data.