Powered by Algolia

    Securing your installation

    The following sections describe options to secure your installation for production use.

    Secure End user access to the OpenIAM UI

    Enable HTTPS communication to the OpenIAM UI

    Enable https communication to the OpenIAM UI and prevent unsecure communication. Steps to configure https can be found here:

    Secure responses from cross-site scripting

    By default XSS-Protection headers are already set. Additional, the following headers can set the following header to exclude MIME sniffing:

    • X-Content-Type-Options: nosniff

    Update the password policy

    Update your the password policy in OpenIAM to align with your corporate password policy. The policy can be configured using the webconsole.

    Update the authentication policy

    Update the authentication mechanism in OpenIAM to align with your corporate direction. This can be done in one of the following ways:

    • if you are using an external IdP, such as Azure, then integrate OpenIAM to act as a service provider to your IdP.
    • If OpenIAM will be your IdP, or you will be authenticating directly into OpenIAM, then define the authentication rules by:

    Secure the infrastructure

    Update default stack component passwords

    The env.sh file contains default passwords for stack components. These should be updated and stored securely.

    TLS communication with RabbitMQ

    Enable TLS communication in RabbitMQ to ensure secure communication between infrastructure services.

    Reduce log levels

    The log levels should be reduced to WARN. Avoiding excessive debug will improve both security and performance.

    Remove Default objects

    There are a number of default objects which are created during installation to simplify the initial experience for those who are new to OpenIAM. These objects should be either removed or updated prior to going into production.

    Remove default users

    There are number of default users, which should be removed using the webconsole. The include:

    • Scott Nelson
    • Hiring Manager
    • Security Manager
    • Help Desk

    Replace system admin accounts

    The out of the box deployment includes to system admin accounts:

    • sys user (sysadmin)
    • sys2 user (sysadmin2)

    Admin rights should be granted to named users so that there is traceability across the system. As such, the Super Security Admin role should be granted to the appropriate users. After access has been granted, login with super security admin rights and remove the above the two users.

    Note: DO NOT remove the system user. This user has no rights in OpenIAM and is used by internal processes.

    Remove default entitlement objects

    Remove roles

    Remove the roles listed below:

    • Help desk
    • End User
    • Security Admin
    • Security Admin_IDM

    Note: DO NOT REMOVE the Super security admin and Global UAR Administrator

    Remove default groups

    Remove the groups listed below:

    • Security group
    • HR Group

    Remove all organization objects

    Remove all organization objects and replace them with a structure which represents your organization and requirements

    Other recommendations

    Restrict Access to servers hosting OpenIAM

    Access to the servers / VMs where OpenIAM is hosted should only be enabled at the time that individuals working in those environments needs access. Permanent access should be avoided.

    Stay current with patching

    OpenIAM releases contain new features, bug fixes and fixes for vulnerabilities that have been reported. Its important that each deployment stay current with these releases.

    Previous
    Log4j Vulnerability
    Next
    Switch of OpenIAM datasource database