Data Security
Business Teams are stored in the EDB PostgreSQL service database. You cannot enable the encryption of data at rest by using the cloud-native-postgresql
operator. So, use the Red Hat® OpenShift® Container Platform storage class
that you configured for your deployment to enable encryption.
Security Hardening
To avoid host header injection attacks, you can configure Platform UI (ibm-platformui-operator
) to reject requests where the HTTP header Host
does not match the expected value as configured with key URL_PREFIX
in configmap product-configmap
. Complete the following configuration steps:
-
Edit the namespace where Platform UI is installed by editing the
product-configmap
.-
By using the console
-
In OpenShift console, go to Workloads > ConfigMaps.
- Select your project and search for product-configmap.
-
Add or update a key HOST_INJECTION_CHECK_ENABLED to have a value of
true
. -
By using the CLI
Run the following command:
oc patch configmap product-configmap -p '{"data":{"HOST_INJECTION_CHECK_ENABLED": "true"}}'
-
-
Restart the Platform UI pods:
-
By using the console
-
In OpenShift console, go to Workloads > Pods.
- Select your project and search for ibm-nginx.
-
Delete the pods.
-
By using the CLI
Run the following command:
oc delete pod -l component=ibm-nginx
-
FIPS Mode
Business Teams Service supports FIPS encryption starting with version 3.31.0. To enable FIPS mode, the Business Teams Service must be deployed on a FIPS-enabled Red Hat OpenShift cluster.
To enable FIPS mode for a Business Teams Service instance, the custom resource (CR) property enableFips
must be set to true
:
```
...
spec:
enableFips: "true" # defaults to "false"
...
```
FIPS mode must be enabled explicitly for each service instance that is deployed in the OperShift cluster.