Planning security
Before you prepare your environment for the service, make decisions about implementing security in the service by answering questions described in this topic.
About this task
Question | Considerations |
---|---|
Will you use federated identity management? |
Federated identity management allows users who are logged on to your company system to use the service without logging on again. To enable federated identity management, you register your organization as a trusted identity provider in the IBM Connections™ Cloud service. Before you register, you must implement and test a federated identity management system that uses Security Assertion Markup Language (SAML). While you are implementing your system, you must make some choices and prepare several artifacts. For more information about this option and other login options, see Configuring logins. |
Do your company top-level organization certifiers comply with service requirements? |
There are some restrictions on organization certifier names. Your organization certifiers must be at least three characters and must be different from certifiers used by other companies in the service. In addition, specific organization certifier names are prohibited for use with the service. If
you use more than one organization certifier, decide which one to
use for the following servers. All of these servers must be certified
under the same organization certifier.
For more information, see Certifier requirements in a hybrid environment. |
What decisions do you need to make about the OU certifier to use for your mail servers? |
Decide on a name for the OU certifier. A short name is best. Consider carefully the name you choose; after you upload the OU certifier ID file to the service during service configuration, you cannot change to a certifier of a different name. Decide who will create the OU certifier and who will upload the certifier ID file to the service. Uploading the ID file to the service requires physical access to the ID file. Companies often allow only specific people to create certifiers and to access certifier ID files, so account for this possibility in your planning. |
Is public key checking enabled on on-premises servers that the service will connect to? |
If public key checking is enabled on the
following servers, it must be disabled.
|
What firewall changes are required? |
Your firewall must be opened to specific ports and host names. For more information, see Planning network connections. |
Do you use wildcard groups to control access? |
Put wildcard groups, for example, */Austin/Renovations, directly in access control lists, mail or calendar delegation lists, or policy assignment fields. Do not put wildcard groups in a directory group and add the directory group to the access list or policy assignment fields; this configuration isn't supported. |