Security planning considerations
Information in this section is provided to assist in the security planning process but is not a complete description of any security feature or level of support.
- Authentication and authorization are separate processes.
- Authentication (logon security) is separate from authorization (object and process security). You must configure your JAAS login on the Content Platform Engine application server so that any user or group that can successfully log on to FileNet® P8 resources can also be authorized to work within FileNet P8 interfaces, using the Content Platform Engine directory service provider connection.
- Logins are done through JAAS.
- FileNet P8 uses Java™ Authentication and Authorization Service (JAAS) for authentication, which is a process that occurs between a Java EE client application, a Java EE application server, and one or more JAAS login modules. This process does not involve any FileNet P8 code.
- Determine single sign-on (SSO) requirements.
- Content Platform Engine ability to use JAAS-based authentication means that if a single sign-on (SSO) provider writes a JAAS LoginModule for a supported application server, then clients of FileNet P8 applications hosted in that application server can use that SSO solution. See Single Sign-On Solutions for IBM FileNet P8 at ibm.com/redbooks for configuration information.
- Determine Kerberos applicability.
- You can use Kerberos for SSO authentication between .NET applications or other products that use it, provided you use Windows Active Directory as the directory server.
- Decide how many authentication realms you require.
- At least one authentication realm is required, which you create during an initial installation by running the Configuration Manager Configure LDAP task. After making sure that the first realm is working properly, you can configure additional realms, depending on your security model and requirements.
- Make sure that you have a directory service provider in place.
- Directory services are provided by third-party directory servers. Refer to the IBM FileNet P8 system requirements for the list of supported products.
- Understand the users and groups required for FileNet P8 .
- All general administrative users and groups needing access to FileNet P8 -based applications must reside in one of the supported directory servers. The planning and preparation tasks provide instructions for creating the administrative accounts required for installation and initial configuration.
- (WebLogic only) Any WebLogic authentication provider must be dedicated to FileNet P8 .
- For performance reasons, do not share any authentication provider that is used by WebLogic for deployed FileNet P8 components with applications used for other purposes.
- You can configure Content Platform Engine to use email or UPN for login
- You can assign the directory server's email attribute or, for Active Directory, the userPrincipalName (UPN) to be the user short name that is used for login. Instructions in the IBM FileNet P8 Platform Installation and Upgrade Guide provide a link to a procedure that explains how to do this.
- Avoid overlapping realm definitions
- In the Configuration Manager task Configure LDAP, if you set the WebSphere Application
Server or WebSphere Application
Server Liberty LDAP
repository type option to Federated repositories, do not enter repositories
with overlapping suffixes as they are not supported. For example, the following two repositories
with overlapping Base entry distinguished names are not supported.
The domain component attributes
(dc=ibm,dc=com) are the same for the following entries:
- ou=users,dc=ibm,dc=com
- dc=ibm,dc=com
- (WebSphere only) Choose Stand-alone or Federated repository type.
- There is an option in the Configuration Manager Configure LDAP
task to select whether the WebSphere Application
Server repository
type is Stand-alone LDAP registry or Federated repositories. To have
Configuration Manager use your repository type setting, select the
Configuration Manager option Set as current active user
registry.
- If you choose Stand-alone LDAP registry
- Configuration Manager changes the administrative console user login to the account you enter as the Administrative console user name. This account must reside in the Stand-alone LDAP registry location. The existing administrative console user login, if any, becomes invalid.
- If you choose Federated repositories
- By choosing the Federated repositories option in Configuration Manager, you are adding a new LDAP realm to an existing Federated LDAP repository. The administrative console user name that you provide must be a unique user across all federated realms.
- Administrative security must be enabled
- Configuration Manager does not change the state of WebSphere administrative security. If it was on before running Configuration Manager, then it stays on; if it was off before, then it stays off.
- WebSphere Application Server security domains
- Content Platform Engine supports WebSphere Application Server security domains, a feature that is introduced in WebSphere Application Server 7.0. Security domains allow administrators to define multiple security configurations for use in a single cell or application server. By default, all administrative and user applications in WebSphere Application Server use the same global security configuration. However, with security domains, you can create additional security configurations if you want to specify different security attributes for some or all of your user applications. For example, you can define different settings (such as a different user registry) for user applications than for administrative applications. You can also define separate security configurations for user applications that are deployed to different servers and clusters.
- Determine whether to use external key management
- You can use an external key management server instead of managing your keys in the Global Configuration Database. If you want to use this method for key management, you must configure the connection between your key management server and the Content Platform Engine server before you configure the initial P8 domain.
- Mitigate against denial of service attacks
By default, the deployed services, which are exposed to external access using routes, are configured to accept communications using HTTPS only. If you change the default deployment to allow communication via HTTP for these services, the applications using those services, like the administration console for Content Platform Engine, can be vulnerable to denial of service (DoS and DDoS) attacks like Slowloris.
You can mitigate against these kinds of attacks by:- Putting an efficient HTTP proxy in front of your web or application servers.
- Using hardware load balancers that accept only full HTTP connections.
Note that there are some restrictions when using load balancers Content Platform Engine. For more information, see Load balancer support for FileNet P8.
- Using
Mod_reqtimeout
to set limits on the time it takes to receive an HTTP request.For example:<IfModule mod_reqtimeout.c> RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 </IfModule>
- Mitigating during implementation by:
- Refusing connections with abnormally small advertised window size.
- Refusing persistent connections and HTTP pipe lining (unless there are performance benefits to be gained by accepting them).
- Limiting the absolute connection life time to reasonable value.
- Tracking the rate at which a client is sending data and disconnecting when a bad client is identified.
- Configuring the maximum transaction time for the client.
If the sending of message does not happen in transaction time set at the server, drop the client connection.
- Using an edge server which sets its buffer and passes on the data over to the application server only when the buffer is full.