[midPoint] Security aspects of midpoint deployments

Alexandre Zia alexandre.zia at ifood.com.br
Thu Oct 3 12:31:14 UTC 2019


As midpoint lacks 2 factor authentication, we also put midpoint behind an
authentication proxy that enforces 2 factor authentication,



On Wed, Sep 25, 2019 at 10:49 AM Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> There is a security guide for midPoint. That may be a good starting point:
>
> https://wiki.evolveum.com/display/midPoint/Security+Guide
>
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 9/25/19 12:36 PM, LOEW, Simon, SHS-INFRA IT-TS wrote:
>
> Hi midpoint community,
>
>
>
> we are currently looking into hardening the security of our midpoint
> deployment. Is there anything special in the midpoint configuration that
> should be reviewed? Maybe there is a hardening guideline available?
>
>
>
> Here are some basic points that we have already thought of ourselves:
>
> ·         Most recent OS, midpoint, java and DB version
>
> ·         Encryption of connections (https, database, resources)
>
> ·         Changing default users and passwords
>
> ·         Restricting access to the servers running midpoint and DB
>
> ·         Checking for open ports
>
> ·         Hiding tomcat behind a webserver and setting some anti XSS etc.
> headers
>
>
>
> I know this is a wide field, but maybe you have other best practices that
> could be adopted.
>
>
>
> Kind regards
>
>
>
> *Simon Loew*
>
>
>
> *SHS Infrastruktur GmbH*
>
>
>
> SHS Infrastruktur GmbH, Werkstraße 1, 66763 Dillingen/Saar
> Sitz: Dillingen/Saar
> Registergericht: Amtsgericht Saarbrücken HRB 103641
> Geschäftsführung: Michael Marion
>
>
>
> Ausschlusserklärung (Disclaimer):
>
> Wie Sie wissen, können über das Internet versandte E-Mails unter fremden
> Namen erstellt oder manipuliert werden. Aus
>
> diesem Grund sind unsere mit E-Mails verschickten Nachrichten
> grundsätzlich keine rechtsverbindliche Willenserklärungen.
>
> As you are aware e- mails sent via internet can be received or manipulated
> by third parties. For this reason we do not send
>
> legally binding declarations via the internet.
>
>
>
> Bitte beachten Sie:
>
> Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen
> enthalten. Der Inhalt ist ausschließlich für die
>
> bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat
> oder dessen Vertreter sind, setzen Sie sich bitte mit
>
> dem Absender der E-Mail in Verbindung. Jede Form der Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhaltes
>
> fehlgeleiteter E-Mails ist unzulässig.
>
>
>
> Please note:
>
> This email may contain confidential and/or legally protected information.
> The contents are exclusively intended for the specified
>
> addressees. If you are not the correct addressee or his representative,
> please contact the sender of the email. Any
>
> form of publication, duplication or transfer of the contents of
> misdirected emails is forbidden.
>
>
>
> P Bitte prüfen Sie der Umwelt zuliebe, ob der Ausdruck dieser Mail
> erforderlich ist.
>
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
<https://www.ifood.com.br/>

Alexandre R Zia

*Security*





www.ifood.com.br
  <https://www.facebook.com/iFood?fref=ts> <https://twitter.com/iFood>
<https://www.instagram.com/iFoodBrasil/> <https://www.youtube.com/ifood>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint/attachments/20191003/16da647a/attachment.html>


More information about the midPoint mailing list