Hi All,
I installed Wildfire 3.1.1. and after some testing our organization decided to go with it for internal instant messaging. Now I need to tidy-up security of the server. Is there any documentation about that ? Steps which I have done already :
-
changed keystore password. By the way - should I change Java runtime CACERTS keystore password ? If so, do I have to pass this password to Wildfire server somehow ?
-
configured SSL with our organization Certification Authority certificate
Next steps as I see them:
-
change password(s) for HSQLDB. We don’'t want MySQL at this moment
-
security changes on administration web interface - disable HTTP, install our organization HTTPS certificate, anything else ? By the way - what HTTP server Wildfire is using for administration access ?
-
Anything else ?
I investigated security issues a little bit more and here is updated to-do list:
-
change Wildfire keystore password
-
configure SSL with your organization Certification Authority certificate
-
configured file system permissions so nobody could get unauthorised access to Wildfire folder
-
change admin password through web interface - by default it is stored unencrypted on the file system
-
disable unencrypted web administration interface by editing file %Wildfire home folder%/conf/wildfire.xml
-
configure server not to communicate with other Jabber servers
It turned out that password change for HSQLDB is not necessary - database is used in standalone mode and can be accessed only through file system.
One thing is still I am not sure about is if I should change Java runtime CACERTS keystore password.
The following notes are related to 3.2.0RC. I’'ve not tested 3.1.1.
-
The internal HTTP server is Jetty.
-
To tighten security of the entire IM network, require SSL communication with the clients. See the Security Settings section of the Admin Console.
-
Disable HTTP Binding (3.2.x only)
-
Disable External Components (disabled by default)
-
Disable STUN Server (disabled by default) (3.2.x only)