掲示板
security measures
Hi guys!
I'm new to Liferay and just setup the latest CE of Liferay.
Before we go "live" with our system I've implemented some security measures.
These I added to the portal-ext.properties file
As you can see only https traffic is allowed. When people open ourdomain.tld:8080 they will be forwarded automatically to ourdomain.tld:8443.
I'm using a CA signed certificate with 2048bit length and that's working as well. I've created a keystore for that with the java keytool.
At this moment I'm implementing a password policy which forces a min. lenght of 6 characters, min 1 symbol, min 1 capital letter and an expiration of 14 weeks. Users can't use a previous password (memory of last 3 passwords).
I've created a mysql database which allows local connections only. Passwords are salted.
I think I've enforced some good security measures right now, but do you recommend any more? Tips are welcome!
Tnx in advance.
Greets
Will
I'm new to Liferay and just setup the latest CE of Liferay.
Before we go "live" with our system I've implemented some security measures.
These I added to the portal-ext.properties file
# domain name of web server
web.server.host= ourdomain.tld
# http port of web server
web.server.http.port=8080
# https port of web server
web.server.https.port=8443
company.security.auth.requires.https=true
# allow only https traffic
main.servlet.https.required=true
# webserver protocol
web.server.protocol=https
# encryption algorithm
company.encryption.algorithm=AES
company.encryption.key.size=256
# password hashing
password.encryption.algorithm=SSHA
As you can see only https traffic is allowed. When people open ourdomain.tld:8080 they will be forwarded automatically to ourdomain.tld:8443.
I'm using a CA signed certificate with 2048bit length and that's working as well. I've created a keystore for that with the java keytool.
At this moment I'm implementing a password policy which forces a min. lenght of 6 characters, min 1 symbol, min 1 capital letter and an expiration of 14 weeks. Users can't use a previous password (memory of last 3 passwords).
I've created a mysql database which allows local connections only. Passwords are salted.
I think I've enforced some good security measures right now, but do you recommend any more? Tips are welcome!
Tnx in advance.
Greets
Will