3.6 Secure network configuration

3.6.1 LiveCycle physical architecture
3.6.2 Network protocols used by LiveCycle
3.6.3 Ports for application servers
3.6.4 Configuring SSL
3.6.5 Configuring SSL redirect

This section describes the protocols and ports that are required by LiveCycle and provides recommendations for deploying LiveCycle in a secure network configuration.

3.6.1 LiveCycle physical architecture

This image shows the components and protocols that are used in a typical LiveCycle deployment, including the appropriate firewall topology.

View full size graphic

3.6.2 Network protocols used by LiveCycle

When you configure a secure network architecture as described in the previous section, the following network protocols are required for interaction between LiveCycle and other systems in your enterprise network.

Protocol	Use
HTTP	Browser displays Configuration Manager and end-user web applications All SOAP connections
SOAP	Web service client applications, such as .NET applications Adobe Reader® uses SOAP for LiveCycle server web services Adobe Flash® applications uses SOAP for LiveCycle server web services LiveCycle SDK calls when used in SOAP mode Workbench design environment
RMI	LiveCycle SDK calls when used in Enterprise JavaBeans (EJB) mode
IMAP / POP3	Email-based input to a service (Email endpoint) User task notifications over email
UNC File IO	LiveCycle monitoring of watched folders for input to a service (watched folder endpoint)
LDAP	Synchronizations of organizational user and group information in a directory LDAP authentication for interactive users
JDBC	Query and procedure calls made to an external database during execution of a process using the JDBC service Internal access LiveCycle repository
WebDAV	Enables remote browsing of the LiveCycle design-time repository (forms, fragments, and so on) by any WebDAV client
AMF	Adobe Flash applications, where LiveCycle server services are configured with a (Deprecated for AEM forms) Remoting endpoint
JMX	LiveCycle exposes MBeans for monitoring using JMX

3.6.3 Ports for application servers

This section describes the default ports (and alternate configuration ranges) for each type of application server supported. These ports must be enabled or disabled on the inner firewall, depending on the network functionality you want to allow for clients that connect to the application server running LiveCycle.

Note: By default, the server exposes several JMX MBeans under the adobe.com namespace. Only information that is useful for server health monitoring is exposed. However, to prevent information disclosure, you should prevent callers in an untrusted network from looking up JMX MBeans and accessing health metrics.

JBoss ports

Purpose	Port
Access to web applications	[JBoss root]/server/all/deploy/jbossweb-tomcat50.sar/server.xml HTTP/1.1 Connector port 8080 AJP 1.3 Connector port 8009 SSL/TLS Connector port 8443
Access to LiveCycle server services	[JBoss root]/server/all/conf/jboss-service.xml WebService port 8083 NamingService Port 1099 RMIport from 1098 RMIObjectPort from 4444 PooledInvoker ServerBindPort 4445
J2EE cluster support	[JBoss root]/server/all/deploy/cluster-service.xml ha.jndi.HANamingService port from 1100 RmiPort 1101 RMIObjectPort 4447 (clusters only) ServerBindPort 4446
CORBA support	[JBoss root]/server/all/conf/jacorb.properties OAPort 3528 OASSLPort 3529
SNMP support	[JBoss root]/server/all/deploy/snmp-adaptor.sar/META-INF/jbossservice. xml ports 1161, 1162 [JBoss root]/server/all/deploy/snmp-adaptor.sar/managers.xml port 1162

WebLogic ports

Purpose	Port
Access to web applications	Admin Server listen port: default is 7001 Admin Server SSL listen port: default is 7002 Port configured for Managed Server, for example 8001
WebLogic administration ports not required for access to LiveCycle	Managed Server listen port: Configurable from 1 to 65534 Managed Server SSL listen port: Configurable from 1 to 65534 Node Manager listen port: default is 5556

WebSphere 6.1 ports

For information about WebSphere 6.1ports that LiveCycle requires, go to Port number settings in WebSphere Application Server versions.

WebSphere 7.0 ports

For information about WebSphere 7.0 ports that LiveCycle requires, go to http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.migration.express.doc/info/exp/ae/rmig_portnumber.html.

3.6.4 Configuring SSL

Referring to the physical architecture that is described in the section 3.6.1 LiveCycle physical architecture, you should configure SSL for all of the connections that you plan to use. Specifically, all SOAP connections must be conducted over SSL to prevent exposure of user credentials on a network.

For instructions on how to configure SSL on JBoss, WebLogic, and WebSphere, see “Configuring SSL” in the LiveCycle Administration Help.

3.6.5 Configuring SSL redirect

After you configure your application server to support SSL, you must ensure that all HTTP traffic to LiveCycle applications and services are enforced to use the SSL port.

To configure SSL redirect for WebSphere or WebLogic, see your application server documentation.

Navigate to the adobe-livecycle-jboss.ear and unzip it.
Extract the adminui.war file and open the web.xml file for editing.
Add the following code to the web.xml file:

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>app or resource name</web-resource-name> 
        <url-pattern>/*</url-pattern> 
        <!-- define all url patterns that need to be protected--> 
        <http-method>GET</http-method> 
        <http-method>POST</http-method> 
    </web-resource-collection> 
    <user-data-constraint> 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint>