<div dir="ltr"><div>As midpoint lacks 2 factor authentication, we also put midpoint behind an authentication proxy that enforces 2 factor authentication,<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 25, 2019 at 10:49 AM Radovan Semancik <<a href="mailto:radovan.semancik@evolveum.com">radovan.semancik@evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF">
    <div>Hi,<br>
      <br>
      There is a security guide for midPoint. That may be a good
      starting point:<br>
      <br>
      <a href="https://wiki.evolveum.com/display/midPoint/Security+Guide" target="_blank">https://wiki.evolveum.com/display/midPoint/Security+Guide</a><br>
      <br>
      <br>
      <pre cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
      <br>
      <br>
      On 9/25/19 12:36 PM, LOEW, Simon, SHS-INFRA IT-TS wrote:<br>
    </div>
    <blockquote type="cite">
      
      
      
      <div>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Hi
            midpoint community,<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">we are currently looking into hardening the
            security of our midpoint deployment. Is there anything
            special in the midpoint configuration that should be
            reviewed? Maybe there is a hardening guideline available?<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Here are some basic points that we have already
            thought of ourselves:<u></u><u></u></span></p>
        <p><span style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)" lang="EN-GB"><span>·<span style="font:7pt "Times New Roman"">        
              </span></span></span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Most recent OS, midpoint, java and DB version<u></u><u></u></span></p>
        <p><span style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)" lang="EN-GB"><span>·<span style="font:7pt "Times New Roman"">        
              </span></span></span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Encryption of connections (https, database,
            resources)<u></u><u></u></span></p>
        <p><span style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)" lang="EN-GB"><span>·<span style="font:7pt "Times New Roman"">        
              </span></span></span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Changing default users and passwords<u></u><u></u></span></p>
        <p><span style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)" lang="EN-GB"><span>·<span style="font:7pt "Times New Roman"">        
              </span></span></span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Restricting access to the servers running
            midpoint and DB<u></u><u></u></span></p>
        <p><span style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)" lang="EN-GB"><span>·<span style="font:7pt "Times New Roman"">        
              </span></span></span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Checking for open ports<u></u><u></u></span></p>
        <p><span style="font-size:11pt;font-family:Symbol;color:rgb(31,73,125)" lang="EN-GB"><span>·<span style="font:7pt "Times New Roman"">        
              </span></span></span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Hiding tomcat behind a webserver and setting
            some anti XSS etc. headers<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">I know this is a wide field, but maybe you have
            other best practices that could be adopted.<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB">Kind regards<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)" lang="EN-GB"><u></u> <u></u></span></p>
        <p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Simon
              Loew<u></u><u></u></span></b></p>
        <p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></b></p>
        <p class="MsoNormal" style="break-after:avoid"><b><span style="font-size:20pt;font-family:"Arial","sans-serif";color:rgb(31,73,125)">SHS
              Infrastruktur GmbH<u></u><u></u></span></b></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif"">SHS
            Infrastruktur GmbH, Werkstraße 1, 66763 Dillingen/Saar<br>
            Sitz: Dillingen/Saar<br>
            Registergericht: Amtsgericht Saarbrücken HRB 103641<br>
            Geschäftsführung: Michael Marion<u></u><u></u></span></p>
        <p class="MsoNormal"><b><span style="font-size:10pt;font-family:"Calibri","sans-serif";color:rgb(64,64,64)"><u></u> <u></u></span></b></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">Ausschlusserklärung
            (Disclaimer):<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">Wie
            Sie wissen, können über das Internet versandte E-Mails unter
            fremden Namen erstellt oder manipuliert werden. Aus<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">diesem
            Grund sind unsere mit E-Mails verschickten Nachrichten
            grundsätzlich keine rechtsverbindliche Willenserklärungen.<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US">As you are aware e- mails sent via internet can
            be received or manipulated by third parties. For this reason
            we do not send<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US">legally binding declarations via the internet.<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">Bitte
            beachten Sie:<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">Diese
            E-Mail kann vertrauliche und/oder rechtlich geschützte
            Informationen enthalten. Der Inhalt ist ausschließlich für
            die<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">bezeichneten
            Adressaten bestimmt. Wenn Sie nicht der richtige Adressat
            oder dessen Vertreter sind, setzen Sie sich bitte mit<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">dem
            Absender der E-Mail in Verbindung. Jede Form der
            Veröffentlichung, Vervielfältigung oder Weitergabe des
            Inhaltes<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray">fehlgeleiteter
            E-Mails ist unzulässig.<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US">Please note:<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US">This email may contain confidential and/or
            legally protected information. The contents are exclusively
            intended for the specified<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US">addressees. If you are not the correct
            addressee or his representative, please contact the sender
            of the email. Any<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US">form of publication, duplication or transfer of
            the contents of misdirected emails is forbidden.<u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:8pt;font-family:"Arial","sans-serif";color:gray" lang="EN-US"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:20pt;font-family:Webdings;color:rgb(121,121,121)">P</span><span style="font-size:15pt;font-family:Webdings;color:rgb(121,121,121)">
          </span><span style="font-size:8pt;font-family:"Arial","sans-serif";color:rgb(121,121,121)">Bitte
            prüfen Sie der Umwelt zuliebe, ob der Ausdruck dieser Mail
            erforderlich ist.</span><span style="font-size:8pt;font-family:"Arial","sans-serif";color:rgb(31,78,121)"><u></u><u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
        <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
      </div>
      <br>
      <fieldset></fieldset>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><table style="font-family:arial,sans-serif;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);color:rgb(0,0,0);font-size:medium" width="450" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td rowspan="6" style="font-family:arial,sans-serif;margin:0px" width="105" valign="top" height="120" align="right"><a href="https://www.ifood.com.br/" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/iFood_assinatura3.gif" alt="" width="105" height="110"></a></td><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px" height="22"><div style="line-height:18px;font-family:Montserrat,"Trebuchet MS","Lucida Grande","Lucida Sans Unicode","Lucida Sans",Tahoma,sans-serif;color:rgb(85,85,85)"><p style="margin:0px;line-height:18px"><span style="font-size:14px">Alexandre R Zia<br></span></p></div></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px"><div style="font-size:12px;line-height:14px;font-family:Montserrat,"Trebuchet MS","Lucida Grande","Lucida Sans Unicode","Lucida Sans",Tahoma,sans-serif;color:rgb(228,0,43)"><p style="margin:0px;line-height:15px"><span style="line-height:15px"><b>Security</b></span></p></div></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18" height="10"><br></td><td style="font-family:arial,sans-serif;margin:0px" height="10"><br></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px"><br></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px"><div style="font-size:11px;line-height:16px;font-family:Montserrat,"Trebuchet MS","Lucida Grande","Lucida Sans Unicode","Lucida Sans",Tahoma,sans-serif"><a href="https://www.ifood.com.br/" style="color:rgb(119,119,119);line-height:16px" target="_blank">www.ifood.com.br</a></div></td></tr><tr><td colspan="2" style="font-family:arial,sans-serif;margin:0px" height="35"><table width="190" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="font-family:arial,sans-serif;margin:0px" width="12"> </td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://www.facebook.com/iFood?fref=ts" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/facebook_2x.png" alt="" width="32" height="32"></a></td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://twitter.com/iFood" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/twitter_2x.png" alt="" width="32" height="32"></a></td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://www.instagram.com/iFoodBrasil/" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/instagram_2x.png" alt="" width="32" height="32"></a></td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://www.youtube.com/ifood" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/youtube_2x.png" alt="" width="32" height="32"></a></td></tr></tbody></table></td></tr></tbody></table><table style="color:rgb(34,34,34);font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);font-size:13px;line-height:normal;font-family:tahoma,geneva,sans-serif" width="630" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="font-family:arial,sans-serif;margin:0px"><table width="100%" cellspacing="0" cellpadding="0" border="0"></table></td></tr></tbody></table></div></div></div></div>