Security planning considerations

Information in this section is provided to assist in the security planning process but is not a complete description of any security feature or level of support.

Authentication and authorization are separate processes.
Authentication (logon security) is separate from authorization (object and process security). You must configure your JAAS login on the Content Platform Engine application server so that any user or group that can successfully log on to FileNet® P8 resources can also be authorized to work within FileNet P8 interfaces, using the Content Platform Engine directory service provider connection.
Configuration Manager captures configuration information to create your application server authentication provider; or you can use an authentication provider that already exists on the application server. Immediately following the initial Content Platform Engine deployment, you will use IBM® Administration Console for Content Platform Engine to configure the Content Platform Engine authorization by creating a Directory Configuration.
Logins are done through JAAS.
FileNet P8 uses Java™ Authentication and Authorization Service (JAAS) for authentication, which is a process that occurs between a Java EE client application, a Java EE application server, and one or more JAAS login modules. This process does not involve any FileNet P8 code.
FileNet P8 platform uses JAAS for authentication only, not for authorization on stored objects. Also, it does not support Java Security Manager.
Determine single sign-on (SSO) requirements.
Content Platform Engine ability to use JAAS-based authentication means that if a single sign-on (SSO) provider writes a JAAS LoginModule for a supported application server, then clients of FileNet P8 applications hosted in that application server can use that SSO solution. See Single Sign-On Solutions for IBM FileNet P8 at ibm.com/redbooks for configuration information.
Determine Kerberos applicability.
You can use Kerberos for SSO authentication between .NET applications or other products that use it, provided you use Windows Active Directory as the directory server.
Decide how many authentication realms you require.
At least one authentication realm is required, which you create during an initial installation by running the Configuration Manager Configure LDAP task. After making sure that the first realm is working properly, you can configure additional realms, depending on your security model and requirements.
Make sure that you have a directory service provider in place.
Directory services are provided by third-party directory servers. Refer to the IBM FileNet P8 system requirements for the list of supported products.
Starting with version 5.2, Content Platform Engine supports heterogeneous directory server configurations when running in an IBM virtual member manager environment. (To use virtual member manager, Content Platform Engine requires WebSphere® Application Server version 7.0 or above.) For all other directory environments, only homogenous LDAP server combinations are supported, meaning that a single FileNet P8 domain can be configured to use only one of the supported directory servers.
Understand the users and groups required for FileNet P8 .
All general administrative users and groups needing access to FileNet P8 -based applications must reside in one of the supported directory servers. The planning and preparation tasks provide instructions for creating the administrative accounts required for installation and initial configuration.
(WebLogic only) Any WebLogic authentication provider must be dedicated to FileNet P8 .
For performance reasons, do not share any authentication provider that is used by WebLogic for deployed FileNet P8 components with applications used for other purposes.
You can configure Content Platform Engine to use email or UPN for login
You can assign the directory server's email attribute or, for Active Directory, the userPrincipalName (UPN) to be the user short name that is used for login. Instructions in the IBM FileNet P8 Platform Installation and Upgrade Guide provide a link to a procedure that explains how to do this.
Avoid overlapping realm definitions
In the Configuration Manager task Configure LDAP, if you set the WebSphere Application Server or WebSphere Application Server Liberty LDAP repository type option to Federated repositories, do not enter repositories with overlapping suffixes as they are not supported. For example, the following two repositories with overlapping Base entry distinguished names are not supported. The domain component attributes (dc=ibm,dc=com) are the same for the following entries:
  • ou=users,dc=ibm,dc=com
  • dc=ibm,dc=com
This restriction especially applies to Active Directory parent and child domains, since by definition parent/child domains in AD have overlapping suffixes.
The repositories in the next example are supported, because they are sibling repositories and do not overlap. The domain component attributes differ; they have different child components (dc=tivoli versus dc=filenet):
  • dc=tivoli,dc=ibm,dc=com
  • dc=filenet,dc=ibm,dc=com

The Content Engine realm attribute is mapped one-to-one to the NamingContext LDAP attribute in most systems, but not in IBM Virtual Member Manager (VMM).

(WebSphere only) Choose Stand-alone or Federated repository type.
There is an option in the Configuration Manager Configure LDAP task to select whether the WebSphere Application Server repository type is Stand-alone LDAP registry or Federated repositories. To have Configuration Manager use your repository type setting, select the Configuration Manager option Set as current active user registry.
If you choose Stand-alone LDAP registry
Configuration Manager changes the administrative console user login to the account you enter as the Administrative console user name. This account must reside in the Stand-alone LDAP registry location. The existing administrative console user login, if any, becomes invalid.
To have Configuration Manager replace an existing Stand-alone LDAP registry configuration, you must enable the Configuration Manager option Overwrite existing repository.
If you choose Federated repositories
By choosing the Federated repositories option in Configuration Manager, you are adding a new LDAP realm to an existing Federated LDAP repository. The administrative console user name that you provide must be a unique user across all federated realms.
Administrative security must be enabled
Configuration Manager does not change the state of WebSphere administrative security. If it was on before running Configuration Manager, then it stays on; if it was off before, then it stays off.
WebSphere Application Server security domains
Content Platform Engine supports WebSphere Application Server security domains, a feature that is introduced in WebSphere Application Server 7.0. Security domains allow administrators to define multiple security configurations for use in a single cell or application server. By default, all administrative and user applications in WebSphere Application Server use the same global security configuration. However, with security domains, you can create additional security configurations if you want to specify different security attributes for some or all of your user applications. For example, you can define different settings (such as a different user registry) for user applications than for administrative applications. You can also define separate security configurations for user applications that are deployed to different servers and clusters.
To use security domains, you deploy Content Platform Engine in the normal way, and then use your WebSphere Application Server administrative console to create a security domain and to assign Content Platform Engine to it. Content Platform Engine code then automatically honors this domain setting. All Content Platform Engine servers and clients must be in one of the available WebSphere security domains. Also, the Content Platform Engine bootstrap account (cpe_bootstrap_admin) must be present in both the WebSphere Application Server global security configuration and the security domain that applies to the Content Platform Engine; or you can skip the bootstrap login at the server startup by setting the JVM argument -Dcom.filenet.engine.init.BGThreadsAsBootstrapId=false.
Determine whether to use external key management
You can use an external key management server instead of managing your keys in the Global Configuration Database. If you want to use this method for key management, you must configure the connection between your key management server and the Content Platform Engine server before you configure the initial P8 domain.
Mitigate against denial of service attacks

By default, the deployed services, which are exposed to external access using routes, are configured to accept communications using HTTPS only. If you change the default deployment to allow communication via HTTP for these services, the applications using those services, like the administration console for Content Platform Engine, can be vulnerable to denial of service (DoS and DDoS) attacks like Slowloris.

You can mitigate against these kinds of attacks by:
  • Putting an efficient HTTP proxy in front of your web or application servers.
  • Using hardware load balancers that accept only full HTTP connections.

    Note that there are some restrictions when using load balancers Content Platform Engine. For more information, see Load balancer support for FileNet P8.

  • Using Mod_reqtimeout to set limits on the time it takes to receive an HTTP request.
    For example:
    <IfModule mod_reqtimeout.c>
    RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
    </IfModule>
  • Mitigating during implementation by:
    • Refusing connections with abnormally small advertised window size.
    • Refusing persistent connections and HTTP pipe lining (unless there are performance benefits to be gained by accepting them).
    • Limiting the absolute connection life time to reasonable value.
    • Tracking the rate at which a client is sending data and disconnecting when a bad client is identified.
    • Configuring the maximum transaction time for the client.

      If the sending of message does not happen in transaction time set at the server, drop the client connection.

    • Using an edge server which sets its buffer and passes on the data over to the application server only when the buffer is full.