3.1 Preinstallation

Before installing LiveCycle, you can apply security solutions to the network layer and operating system. This section describes some issues and makes recommendations for reducing security vulnerabilities in these areas.

Installation and configuration on UNIX and Linux

You should not install or configure LiveCycle using a root shell. By default, files are installed under the /opt directory, and the user who performs the installation needs all file permissions under /opt. Alternatively, an installation can be performed under an individual user’s /user directory where they already have all file permissions.

Installation and configuration on Windows

You should perform the installation on Windows as an administrator if you are installing LiveCycle on JBoss by using the turnkey method or if you are installing PDF Generator. Also, when installing PDF Generator on Windows with native application support, you must run the installation as the same Windows user who installed Microsoft Office. For more information about installation privileges, see the Installing and Deploying LiveCycle document for your application server.

3.1.1 Network layer security

Network security vulnerabilities are among the first threats to any Internet-facing or intranet-facing application server. This section describes the process of hardening hosts on the network against these vulnerabilities. It addresses network segmentation, Transmission Control Protocol/Internet Protocol (TCP/IP) stack hardening, and the use of firewalls for host protection.

The following table describes common processes that reduce network security vulnerabilities.

Issue

Description

Demilitarized zones (DMZs)

Deploy LiveCycle servers within a demilitarized zone (DMZ). Segmentation should exist in at least two levels with the application server used to run LiveCycle placed behind the inner firewall. Separate the external network from the DMZ that contains the web servers, which in turn must be separated from the internal network. Use firewalls to implement the layers of separation. Categorize and control the traffic that passes through each network layer to ensure that only the absolute minimum of required data is allowed.

Private IP addresses

Use Network Address Translation (NAT) with RFC 1918 private IP addresses on LiveCycle application servers. Assign private IP addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) to make it more difficult for an attacker to route traffic to and from a NAT'd internal host through the Internet.

Firewalls

Use the following criteria to select a firewall solution:

  • Implement firewalls that support proxy servers and/or stateful inspection instead of simple packet-filtering solutions.

  • Use a firewall that supports a deny all services except those explicitly permitted security paradigm.

  • Implement a firewall solution that is dual-homed or multihomed. This architecture provides the greatest level of security and helps to prevent unauthorized users from bypassing the firewall security.

Database ports

Do not use default listening ports for databases (MySQL - 3306, Oracle - 1521, MS SQL - 1433). For information about changing database ports, see your database documentation.

Using a different database port affects the overall LiveCycle configuration. If you change default ports, you must make corresponding modifications in other areas of configuration, such as the data sources for LiveCycle.

For information about configuring data sources in LiveCycle, see Installing andDeploying LiveCycle or Upgrading to LiveCyclefor your application server, at LiveCycle Documentation Set.

3.1.2 Operating system security

The following table describes some potential approaches to minimizing security vulnerabilities found in the operating system.

Issue

Description

Security patches

There is an increased risk that an unauthorized user may gain access to the application server if vendor security patches and upgrades are not applied in a timely fashion. Test security patches before you apply them to production servers.

Also, create policies and procedures to check for and install patches on a regular basis.

Virus protection software

Virus scanners can identify infected files by scanning for a signature or watching for unusual behavior. Scanners keep their virus signatures in a file, which is usually stored on the local hard drive. Because new viruses are discovered often, you should frequently update this file for the virus scanner to identify all current viruses.

Network Time Protocol (NTP)

For forensic analysis, keep accurate time on the LiveCycle servers. Use NTP to synchronize the time on all systems that are connected directly to the Internet.

For additional security information for your operating system, see 2.1.1 Operating system security information .

// Ethnio survey code removed