3.6 Secure network configuration

This section describes the protocols and ports that are required by LiveCycle and provides recommendations for deploying LiveCycle in a secure network configuration.

    3.6.1 LiveCycle physical architecture

    This image shows the components and protocols that are used in a typical LiveCycle deployment, including the appropriate firewall topology.

    View full size graphic

    3.6.2 Network protocols used by LiveCycle

    When you configure a secure network architecture as described in the previous section, the following network protocols are required for interaction between LiveCycle and other systems in your enterprise network.

    Protocol

    Use

    HTTP

    • Browser displays Configuration Manager and end-user web applications

    • All SOAP connections

    SOAP

    • Web service client applications, such as .NET applications

    • Adobe Reader® uses SOAP for LiveCycle server web services

    • Adobe Flash® applications uses SOAP for LiveCycle server web services

    • LiveCycle SDK calls when used in SOAP mode

    • Workbench design environment

    RMI

    LiveCycle SDK calls when used in Enterprise JavaBeans (EJB) mode

    IMAP / POP3

    • Email-based input to a service (Email endpoint)

    • User task notifications over email

    UNC File IO

    LiveCycle monitoring of watched folders for input to a service (watched folder endpoint)

    LDAP

    • Synchronizations of organizational user and group information in a directory

    • LDAP authentication for interactive users

    JDBC

    • Query and procedure calls made to an external database during execution of a process using the JDBC service

    • Internal access LiveCycle repository

    WebDAV

    Enables remote browsing of the LiveCycle design-time repository (forms, fragments, and so on) by any WebDAV client

    AMF

    Adobe Flash applications, where LiveCycle server services are configured with a Remoting endpoint

    JMX

    LiveCycle exposes MBeans for monitoring using JMX

    3.6.3 Ports for application servers

    This section describes the default ports (and alternate configuration ranges) for each type of application server supported. These ports must be enabled or disabled on the inner firewall, depending on the network functionality you want to allow for clients that connect to the application server running LiveCycle.

    Note: By default, the server exposes several JMX MBeans under the adobe.com namespace. Only information that is useful for server health monitoring is exposed. However, to prevent information disclosure, you should prevent callers in an untrusted network from looking up JMX MBeans and accessing health metrics.

    JBoss ports

    Purpose

    Port

    Access to web applications

    [JBoss root]/server/all/deploy/jbossweb-tomcat50.sar/server.xml

    HTTP/1.1 Connector port 8080

    AJP 1.3 Connector port 8009

    SSL/TLS Connector port 8443

    Access to LiveCycle server services

    [JBoss root]/server/all/conf/jboss-service.xml

    WebService port 8083

    NamingService Port 1099

    RMIport from 1098

    RMIObjectPort from 4444

    PooledInvoker ServerBindPort 4445

    J2EE cluster support

    [JBoss root]/server/all/deploy/cluster-service.xml

    ha.jndi.HANamingService port from 1100

    RmiPort 1101

    RMIObjectPort 4447

    (clusters only) ServerBindPort 4446

    CORBA support

    [JBoss root]/server/all/conf/jacorb.properties

    OAPort 3528

    OASSLPort 3529

    SNMP support

    [JBoss root]/server/all/deploy/snmp-adaptor.sar/META-INF/jbossservice. xml

    ports 1161, 1162

    [JBoss root]/server/all/deploy/snmp-adaptor.sar/managers.xml

    port 1162

    WebLogic ports

    Purpose

    Port

    Access to web applications

    • Admin Server listen port: default is 7001

    • Admin Server SSL listen port: default is 7002

    • Port configured for Managed Server, for example 8001

    WebLogic administration ports not required for access to LiveCycle

    • Managed Server listen port: Configurable from 1 to 65534

    • Managed Server SSL listen port: Configurable from 1 to 65534

    • Node Manager listen port: default is 5556

    WebSphere 6.1 ports

    For information about WebSphere 6.1ports that LiveCycle requires, go to Port number settings in WebSphere Application Server versions.

    WebSphere 7.0 ports

    For information about WebSphere 7.0 ports that LiveCycle requires, go to http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.migration.express.doc/info/exp/ae/rmig_portnumber.html.

    3.6.4 Configuring SSL

    Referring to the physical architecture that is described in the section 3.6.1 LiveCycle physical architecture, you should configure SSL for all of the connections that you plan to use. Specifically, all SOAP connections must be conducted over SSL to prevent exposure of user credentials on a network.

    For instructions on how to configure SSL on JBoss, WebLogic, and WebSphere, see “Configuring SSL” in the LiveCycle Administration Help.

    3.6.5 Configuring SSL redirect

    After you configure your application server to support SSL, you must ensure that all HTTP traffic to LiveCycle applications and services are enforced to use the SSL port.

    To configure SSL redirect for WebSphere or WebLogic, see your application server documentation.

    1. Navigate to the adobe-livecycle-jboss.ear and unzip it.

    2. Extract the adminui.war file and open the web.xml file for editing.

    3. Add the following code to the web.xml file:

    <security-constraint> 
    <web-resource-collection> 
        <web-resource-name>app or resource name</web-resource-name> 
        <url-pattern>/*</url-pattern> 
        <!-- define all url patterns that need to be protected--> 
        <http-method>GET</http-method> 
        <http-method>POST</http-method> 
    </web-resource-collection> 
    <user-data-constraint> 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint>

    // Ethnio survey code removed