3.6 Secure network configuration

This section describes the protocols and ports that are required by LiveCycle and provides recommendations for deploying LiveCycle in a secure network configuration.

3.6.1 LiveCycle physical architecture

This image shows the components and protocols that are used in a typical LiveCycle deployment, including the appropriate firewall topology.

3.6.2 Network protocols used by LiveCycle

When you configure a secure network architecture as described in the previous section, the following network protocols are required for interaction between LiveCycle and other systems in your enterprise network.

Protocol

Use

HTTP

  • Browser displays Configuration Manager and end-user web applications

  • All SOAP connections

SOAP

  • Web service client applications, such as .NET applications

  • Adobe Reader® uses SOAP for LiveCycle server web services

  • Adobe Flash® applications uses SOAP for LiveCycle server web services

  • LiveCycle SDK calls when used in SOAP mode

  • Workbench design environment

RMI

LiveCycle SDK calls when used in Enterprise JavaBeans (EJB) mode

IMAP / POP3

  • Email-based input to a service (Email endpoint)

  • User task notifications over email

UNC File IO

LiveCycle monitoring of watched folders for input to a service (watched folder endpoint)

LDAP

  • Synchronizations of organizational user and group information in a directory

  • LDAP authentication for interactive users

JDBC

  • Query and procedure calls made to an external database during execution of a process using the JDBC service

  • Internal access LiveCycle repository

WebDAV

Enables remote browsing of the LiveCycle design-time repository (forms, fragments, and so on) by any WebDAV client

AMF

Adobe Flash applications, where LiveCycle server services are configured with a Remoting endpoint

JMX

LiveCycle exposes MBeans for monitoring using JMX

3.6.3 Ports for application servers

This section describes the default ports (and alternate configuration ranges) for each type of application server supported. These ports must be enabled or disabled on the inner firewall, depending on the network functionality you want to allow for clients that connect to the application server running LiveCycle.

Note: By default, the server exposes several JMX MBeans under the adobe.com namespace. Only information that is useful for server health monitoring is exposed. However, to prevent information disclosure, you should prevent callers in an untrusted network from looking up JMX MBeans and accessing health metrics.

JBoss ports

Purpose

Port

Access to web applications

[JBoss root]/server/all/deploy/jbossweb-tomcat50.sar/server.xml

HTTP/1.1 Connector port 8080

AJP 1.3 Connector port 8009

SSL/TLS Connector port 8443

Access to LiveCycle server services

[JBoss root]/server/all/conf/jboss-service.xml

WebService port 8083

NamingService Port 1099

RMIport from 1098

RMIObjectPort from 4444

PooledInvoker ServerBindPort 4445

J2EE cluster support

[JBoss root]/server/all/deploy/cluster-service.xml

ha.jndi.HANamingService port from 1100

RmiPort 1101

RMIObjectPort 4447

(clusters only) ServerBindPort 4446

CORBA support

[JBoss root]/server/all/conf/jacorb.properties

OAPort 3528

OASSLPort 3529

SNMP support

[JBoss root]/server/all/deploy/snmp-adaptor.sar/META-INF/jbossservice. xml

ports 1161, 1162

[JBoss root]/server/all/deploy/snmp-adaptor.sar/managers.xml

port 1162

WebLogic ports

Purpose

Port

Access to web applications

  • Admin Server listen port: default is 7001

  • Admin Server SSL listen port: default is 7002

  • Port configured for Managed Server, for example 8001

WebLogic administration ports not required for access to LiveCycle

  • Managed Server listen port: Configurable from 1 to 65534

  • Managed Server SSL listen port: Configurable from 1 to 65534

  • Node Manager listen port: default is 5556

WebSphere 6.1 ports

For information about WebSphere 6.1ports that LiveCycle requires, go to Port number settings in WebSphere Application Server versions.

WebSphere 7.0 ports

For information about WebSphere 7.0 ports that LiveCycle requires, go to http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.migration.express.doc/info/exp/ae/rmig_portnumber.html.

3.6.4 Configuring SSL

Referring to the physical architecture that is described in the section 3.6.1 LiveCycle physical architecture, you should configure SSL for all of the connections that you plan to use. Specifically, all SOAP connections must be conducted over SSL to prevent exposure of user credentials on a network.

For instructions on how to configure SSL on JBoss, WebLogic, and WebSphere, see “Configuring SSL” in the LiveCycle Administration Help.

3.6.5 Configuring SSL redirect

After you configure your application server to support SSL, you must ensure that all HTTP traffic to LiveCycle applications and services are enforced to use the SSL port.

To configure SSL redirect for WebSphere or WebLogic, see your application server documentation.

  1. Navigate to the adobe-livecycle-jboss.ear and unzip it.

  2. Extract the adminui.war file and open the web.xml file for editing.

  3. Add the following code to the web.xml file:

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>app or resource name</web-resource-name> 
        <url-pattern>/*</url-pattern> 
        <!-- define all url patterns that need to be protected--> 
        <http-method>GET</http-method> 
        <http-method>POST</http-method> 
    </web-resource-collection> 
    <user-data-constraint> 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint>

// Ethnio survey code removed