Data Security

Business Teams are stored in the EDB PostgreSQL service database. You cannot enable the encryption of data at rest by using the cloud-native-postgresql operator. So, use the Red Hat® OpenShift® Container Platform storage class that you configured for your deployment to enable encryption.

Security Hardening

To avoid host header injection attacks, you can configure Platform UI (ibm-platformui-operator) to reject requests where the HTTP header Host does not match the expected value as configured with key URL_PREFIX in configmap product-configmap. Complete the following configuration steps:

  1. Edit the namespace where Platform UI is installed by editing the product-configmap.

    • By using the console

    • In OpenShift console, go to Workloads > ConfigMaps.

    • Select your project and search for product-configmap.
    • Add or update a key HOST_INJECTION_CHECK_ENABLED to have a value of true.

    • By using the CLI

      Run the following command:

      oc patch configmap product-configmap -p '{"data":{"HOST_INJECTION_CHECK_ENABLED": "true"}}'
      
  2. Restart the Platform UI pods:

    • By using the console

    • In OpenShift console, go to Workloads > Pods.

    • Select your project and search for ibm-nginx.
    • Delete the pods.

    • By using the CLI

      Run the following command:

      oc delete pod -l component=ibm-nginx
      

FIPS Mode

Business Teams Service supports FIPS encryption starting with version 3.31.0. To enable FIPS mode, the Business Teams Service must be deployed on a FIPS-enabled Red Hat OpenShift cluster.

To enable FIPS mode for a Business Teams Service instance, the custom resource (CR) property enableFips must be set to true:

```
...
spec:
  enableFips: "true" # defaults to "false"
...
```

FIPS mode must be enabled explicitly for each service instance that is deployed in the OperShift cluster.