Best Practices for Securing Your PTC Arbortext Content Delivery Solution
This section provides basic actions that you can take to secure your PTC Arbortext Content Delivery solution.
 |
• This information is provided only to assist you with the secure configuration of PTC Arbortext Content Delivery. PTC does not provide support for any third-party products mentioned in this section, nor is PTC responsible for your security infrastructure.
• For additional security, consider using HTTP Public Key Pinning Extension (HPKP) mechanism. PTC Arbortext Content Delivery does not have this mechanism implemented out-of-the-box since deploying HPKP safely requires operational and organizational maturity due to the risk that hosts might make themselves unavailable by pinning to a set of public key hashes that become invalid.
For more information on HPKP, see https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning and https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
|
Best Practice Steps
1. Configure the web server to use HTTPS. HTTPS uses the Secure Socket Layer/Transport Layer Security (SSL/TLS) to protect web application data from unauthorized disclosure and modification when it is transmitted between the browser (client) and the web server.
For more information about setting up your web server for HTTPS, see Configuring SSL for the Web Application Server
2. Establish a strong password policy for your PTC Arbortext Content Delivery solution. Strong passwords have the following characteristics:
◦ Have a minimum password length.
◦ Contain uppercase, lowercase, numeric, and special characters.
◦ Do not contain the user name or the name of the organization.
◦ Have an expiration.
◦ Include account lockout feature after a specified number of login attempts.
3. Change the passwords of default accounts created during data loading. When setting a new password, use a strong password by following the strong password characteristics.
4. Remove the following from the PTC Arbortext Content Delivery web-accessible directories on a production server:
◦ Implementation examples
◦ Sample code
◦ API documentation
5. Ensure that the Directory Listing is disabled on your web server.
Security Configurations
You are required to do update the standalone-full-<dbType>.xml file for security configurations as follows:
• HostHeaderFilter Configuration:
To accept host names as valid host header, you must add those host names in the whitelistHosts parameter value in the standalone-full-<dbType>.xml file. By default, this parameter has EMPTY_VALUE which allows all host names in host header.For example, <param name="whitelistHosts" value="<host1>:8443,<host2>:8443,<host3>:8443"/>
• Concurrent request limit Configuration:
You can configure the Concurrent request limit by changing value of max-concurrent-requests parameter in the standalone-full-<dbType>.xml file. By default, it is set to 1000.For example, <request-limit name="requestLimiter" max-concurrent-requests="1000" queue-size="100"/>
|
|
• The location of standalone-full-<dbType>.xml is: <ACD_HOME>\INS_SW\SW\System\WildFly\standalone\configuration
• Server restart is required after the standalone-full-<dbType>.xml file is updated, for both the security configurations.
|