System Administration

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Unknown User (beth.luby)

Saved on

compared with

New Version Current

changes.mady.by.user Beth Seitz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Users should not be assigned privileges they do not need or do not have the skills to use safely. For example, a user with the ability to delete all records in a table in one operation can do considerable unintentional damage if they are not familiar enough with 

Companyname
's architecture.  Only trusted and trained users should be placed in the Admin group, as that group can make drastic changes to the structure and data of your system.

Use SSL and HTTPS

Companyname
When accessed as a SaaS service, Agiloft is available through HTTPS access only. If you install it on your own server, we strongly recommend that you also must make it available over HTTPS, even if it is being used behind the firewall. This protects information transferred over the network from being accessed by a malicious individual. Do not allow any access to 
Companyname
through standard HTTP.

Use SSL via HTTPS to secure web browser connections to the 

Companyname
 server. Using standard HTTP to connect to the 
Companyname
 server exposes passwords and potentially sensitive information to anyone able to monitor network traffic, and opens up additional methods of attack by intercepting its network traffic.To server. To connect to your web server using SSL you will need to configure it manually, as it is not configured with SSL by default. You will need to purchase or generate a server certificate that authenticates your server to the clients. This configuration differs depending on the host operating system and the web server software you use. The following resources may help:

Even if you must allow access to some accounts through standard HTTP, ensure that HTTPS is used to access more sensitive accounts such as those in the Admin group or with login access to the  Admin Console.

Restrict Login Access to the the
Companyname
 Server

A root user on Unix/Linux or a user in the Administrators group in Windows can circumvent 

Companyname
 internal security by modifying program and data files or directly changing data in the database, including passwords. However, even an unprivileged user can circumvent security by using local web access to exploit some of the special debugging features of 
Companyname
 such as the JMX console, as shown below, that are not accessible to connections from outside the server.
Image RemovedJMX Agent View WizardImage Added

Restrict Services Accessible on the 
Companyname
 Server

Treat the 

Companyname
 server as you would any other sensitive server by only allowing connections essential for 
Companyname
 operation operation, such as HTTP and HTTPS, and administration, such as SSH for Unix/Linux, or Terminal Services for Windows. Additional services or applications which run on the same server machine, including other web applications, may potentially contain security holes which could lead to the compromise of of
Companyname
 data.

The default services installed with most recent Linux distributions are generally minimal. You should use the nmap tool to verify which ports are exposed on your server. For example:

...

These are the TCP ports normally used by 

Companyname
:

Port numberDescription
80The standard HTTP port that connects to the Apache or IIS web server. The /gui2/ URL is forwarded to the Tomcat server and is the normal unsecured access port to the 
Companyname
 application.
8080

The native connection port to the Tomcat server that is part of the Java framework behind 

Companyname
.

443The standard HTTPS port for web service over SSL. This is either forwarded to the Tomcat server by the native web server or forwarded directly to port 8443 by Linux kernel using the internal firewall module.
8443The native HTTPS port that Tomcat may be configured to listen to. It is often better to use the SSL engine in Tomcat with requests forwarded from port 443 than to configure the native Web server for SSL and request forwarding.
3306The standard server port for MySQL, the default Linux back-end database, This port is not exposed externally - in other words, it is bound only to localhostto localhost.



Hide If
displayprintable

Content by Label
showLabelsfalse
max5
spacesPROD
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel = "security" and type = "page" and space = currentSpace()
labelssetup security

...