Manualshelf

User guide

ManualsBrandsRed Hat ManualsComputer equipmentNETSCAPE ENTERPRISE SERVER 6.0 - PROGRAMMER GUIDE TO SERVLETS
51525354555657585960
Interstage Single Sign-on
1-33
Operating and Managing a Business Server
To prevent unauthorized access to the protection resources of the business server and control correct
authentication or authorization, the business server must be operated and managed appropriately.
Use https as the protocol of the business server and encrypt the communication contents with the
Web browser.
Do not operate an unnecessary Web service on another port of the same server.
Create a service ID of the business server using FQDN of the business server.
Before deploying an application such as CGI on the business server, verify that there is no security
problem such as XSS.
Minimize the number of users that can log in to the business server and record login actions.
Application Programming
Confirm that the application to be operated on the business server does not show vulnerability (such as
buffer overflow or XSS) and is securely programmed.
This measure applies to web applications in general, and is not limited to Interstage Single Sign-on.
Interstage provides single sign-on JavaAPIs. With single sign-on JavaAPIs, an application that
performs authentication can be created based on the user name and password, and the user
information stored in the SSO repository. Because such an application uses important information such
as user names and passwords, be aware of the risk of information leakage caused by application
failures. Use care when developing and operating applications.
When using single sign-on JavaAPIs, the following threats are assumed. Take the appropriate action for
each of these threats:
For Servlet Applications Using Single Sign-on JavaAPIs
Possible threat Action
Application alteration
- Periodically change the password for the IJServer
operation account to prevent it from being leaked
or collected.
Application destruction
- Periodically back up data.
Leakage of credential information, user IDs,
and passwords
- Use the Web server in SSL.
- Minimize the number of access permissions to
Web server access log files.
- Use POST for the FORM method instead of GET
Alteration or exposure of configuration files
(security policy file, login configuration file, or
trust store file)
- Minimize the number of access permissions to
operating resources.
Destruction of configuration files (security
policy file, login configuration file, or trust
store file)
- Periodically back up data.