<div dir="ltr">Hello Simon,<div>consider to include:</div><div> - Midpoint keystore <a href="https://wiki.evolveum.com/display/midPoint/Keystore+Configuration">https://wiki.evolveum.com/display/midPoint/Keystore+Configuration</a></div><div> - Midpoint password storage/hashing <a href="https://wiki.evolveum.com/display/midPoint/Password+Storage+Configuration">https://wiki.evolveum.com/display/midPoint/Password+Storage+Configuration</a></div><div> - encryption of storage of DB</div><div> - OS hardening checks</div><div><br></div><div>Some additional information might be found on <a href="https://wiki.evolveum.com/display/midPoint/Security">https://wiki.evolveum.com/display/midPoint/Security</a></div><div><br></div><div>-- </div><div>Peter</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 25, 2019 at 12:36 PM LOEW, Simon, SHS-INFRA IT-TS <<a href="mailto:Simon.Loew@shs-infrastruktur.de">Simon.Loew@shs-infrastruktur.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="white" lang="DE">
<div class="gmail-m_1307041413451275526WordSection1">
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hi midpoint community,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">we are currently looking into hardening the security of our midpoint deployment. Is there anything special in the midpoint configuration that should
be reviewed? Maybe there is a hardening guideline available?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Here are some basic points that we have already thought of ourselves:<u></u><u></u></span></p>
<p class="gmail-m_1307041413451275526MsoListParagraph"><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Most recent OS, midpoint, java and DB version<u></u><u></u></span></p>
<p class="gmail-m_1307041413451275526MsoListParagraph"><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Encryption of connections (https, database, resources)<u></u><u></u></span></p>
<p class="gmail-m_1307041413451275526MsoListParagraph"><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Changing default users and passwords<u></u><u></u></span></p>
<p class="gmail-m_1307041413451275526MsoListParagraph"><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Restricting access to the servers running midpoint and DB<u></u><u></u></span></p>
<p class="gmail-m_1307041413451275526MsoListParagraph"><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Checking for open ports<u></u><u></u></span></p>
<p class="gmail-m_1307041413451275526MsoListParagraph"><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><u></u><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hiding tomcat behind a webserver and setting some anti XSS etc. headers<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I know this is a wide field, but maybe you have other best practices that could be adopted.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Kind regards<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:14pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Simon Loew<u></u><u></u></span></b></p>
<p class="MsoNormal"><b><span style="font-size:14pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></b></p>
<p class="MsoNormal" style="break-after:avoid"><b><span style="font-size:20pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">SHS Infrastruktur GmbH<u></u><u></u></span></b></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif">SHS Infrastruktur GmbH, Werkstraße 1, 66763 Dillingen/Saar<br>
Sitz: Dillingen/Saar<br>
Registergericht: Amtsgericht Saarbrücken HRB 103641<br>
Geschäftsführung: Michael Marion<u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Calibri,sans-serif;color:rgb(64,64,64)"><u></u> <u></u></span></b></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">Ausschlusserklärung (Disclaimer):<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">Wie Sie wissen, können über das Internet versandte E-Mails unter fremden Namen erstellt oder manipuliert werden. Aus<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">diesem Grund sind unsere mit E-Mails verschickten Nachrichten grundsätzlich keine rechtsverbindliche Willenserklärungen.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray">As you are aware e- mails sent via internet can be received or manipulated by third parties. For this reason we do not send<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray">legally binding declarations via the internet.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">Bitte beachten Sie:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Der Inhalt ist ausschließlich für die<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat oder dessen Vertreter sind, setzen Sie sich bitte mit<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">dem Absender der E-Mail in Verbindung. Jede Form der Veröffentlichung, Vervielfältigung oder Weitergabe des Inhaltes<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray">fehlgeleiteter E-Mails ist unzulässig.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8pt;font-family:Arial,sans-serif;color:gray"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray">Please note:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray">This email may contain confidential and/or legally protected information. The contents are exclusively intended for the specified<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray">addressees. If you are not the correct addressee or his representative, please contact the sender of the email. Any<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray">form of publication, duplication or transfer of the contents of misdirected emails is forbidden.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8pt;font-family:Arial,sans-serif;color:gray"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:20pt;font-family:Webdings;color:rgb(121,121,121)">P</span><span style="font-size:15pt;font-family:Webdings;color:rgb(121,121,121)">
</span><span style="font-size:8pt;font-family:Arial,sans-serif;color:rgb(121,121,121)">Bitte prüfen Sie der Umwelt zuliebe, ob der Ausdruck dieser Mail erforderlich ist.</span><span style="font-size:8pt;font-family:Arial,sans-serif;color:rgb(31,78,121)"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
</div>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>