Security Settings

Data Store Parameter Security

1Integrate stores all Data Store configuration in the repository, including sensitive parameters, such as database passwords. Sensitive information is encrypted, with two options available:

  • Advanced Encryption Standard (AES)

    This is the standard method of encryption in 1Integrate and will be used as default.

  • AES with a custom key

    This method requires additional configuration. For more see Configuring AES with a custom Key below.

     Note: AES with a custom key is the most secure method of encryption in 1Integrate. Be aware that sensitive information (e.g. passwords) created on a custom key installation will be invalidated if the key is removed or changed. Sensitive information will also only be compatible with other 1Integrate installations configured with the same key.

Configuring AES with a Custom Key

AES with custom key can be configured both at the point of installation or after.

     Note: It is recommended you carry out the implementation of a custom key at the point of installation to avoid invalidating already stored passwords.

ClosedWildFly

  1. Open the settings.properties file for your 1Integrate installation.

  2. Add and set:

    encryption.key=<Input your custom key>

  3. If 1Integrate is running, restart your installation.

ClosedWebLogic

  1. Launch the WebLogic installer

  2. Navigate to the Repository configuration section of the installer.

  3. Enter your custom key in the Datastore Encryption Key parameter.

Configuring HTTPS (WildFly Only)

The following section details how to enable TLS over HTTP (HTTPS).

Requirements

In order to configure HTTPS you will need a:

  • JKS or PKCS12 keystore, containing a private key for the server to use as its identity.

  • The details of the key (alias and password) and the password for the keystore.

ClosedConfiguration

  1. Move your chosen keystore into the WildFly SETTINGS directory.

  2. Add the following and set the required TLS settings in the settings.properties file:

    3. #tls.keystore.filename=
#tls.keystore.password=
#tls.keystore.type=
#tls.key.alias=
#tls.key.password=
#http.enabled=
#https.enabled=
#jboss.bind.address=

    TLS details

    Parameter

    Value

    tls.keystore.filename

    The name of the keystore file (including the extension) you have placed in your SETTINGS directory.

    tls.keystore.password

    The password for the keystore you have placed in your SETTINGS directory.

    tls.keystore.type

    Your keystore type: PKCS12 or JKS.

    tls.key.alias

    The unique identifier for the key you will be using.

    tls.key.password

    The password for the key you will use in the Keystore.

    http.enabled

    Set to false to disable the unsecure HTTP listener.

    https.enabled

    Set to true to enable the HTTPS listener.

    jboss.bind.address

    The address that 1Integrate should listen on, this should match the common name protected by your certificate.

  3. Next time 1Integrate starts, it will only listen on port 8443 over HTTPS. To change the secure port, add and set the HTTPS port:

    #interface.https.port=8443

Hide Stack Trace Reporting

To improve security you may wish to hide the stack trace reporting to users when an error is encountered in 1Integrate.

ClosedDisable report in WildFly

To disable full stack trace reports to users, you will need to enable the hide.stacktrace=true property in the settings.properties file.

hide.stacktrace=true

ClosedDisable Report in weblogic

To disable full stack trace reports to users, within the WebLogic Server Administration Console, include the following in the Server Start Arguments for the interface:

-Dhide.stacktrace=true

Uploaded files

Uploaded files are stored in the folder pointed to by the java.io.tmp environment variable.

For security purposes, we recommend that you use the relevant operating system tool to ensure that 'execute' permissions are removed for this folder.

Zip Bomb Threshold

By default a Zip bomb threshold is set to prevent the uploading of heavily compressed archives to avoid these files destabilising the server.

To change the threshold, add the following lines to the settings.properties file, setting your desired value.

Enable this to allow uploading heavily compressed archives, with a compressed/uncompressed ratio of greater than 1:100. The default value is 0.01.

#filebomb.threshold=0.01