Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Other Recommendations for Running TIBCO Hawk Securely

Chapter 3
This chapter provides some recommendations to secure other aspects of communication when using TIBCO Hawk.
General Security Environment
Hawk Agent(s) and Hawk Console: The operating system account for hosting the Hawk Agent or Hawk Microagent (HMA) and Hawk Console must be a super user account. Specify a strong password for the super user, which is heavily guarded and seldom used.
Hawk Console Users/ Clients: TIBCO recommends that the operating system and browsers used for accessing Hawk Console Web GUI or REST API must be properly maintained and secured according to security best practices.
To ensure secure (HTTPS) communication between Hawk Console and the GUI or REST API users, configure a valid X.509 certificate in Hawk Console. The certificate must be signed by a CA authority and recognized by the browsers used.
Selection of Passwords
Specify a strong password for the Hawk Console administrator accounts, considering that administrators perform all the critical operations. Weak administrator account passwords can result in security breach, resulting in severe damage and destabilization of the enterprise. The password must ideally consist of a minimum of eight characters, with a mix of uppercase and lowercase characters, numbers, and special characters. In the case of file-based authentication for Hawk Console, use the tibhawkpassword utility to obfuscate the passwords. You can use LDAP-based authentication for Hawk Console. In the LDAP-based authentication, the usernames and passwords are validated with a LDAP directory server.
Data Center Placement
The Hawk architecture assumes all the Hawk components are running on a trusted network, with access only from trusted computers and accounts. Consider the following security and data protection recommendations when deploying your data center (on-premises or on the cloud).
On-premises
When deploying Hawk components to the data center, keep Hawk components behind a firewall. This adds extra layers of security in protecting your data.
On the Cloud
When deploying Hawk components to the virtual data center, keep Hawk components behind a firewall.
Running your Hawk components in the same virtual private cloud (VPC) as your core services provides additional protection and better performance during data collection.
TIBCO recommends that you use TIBCO Hawk® Container Edition instead of deploying TIBCO Hawk on the Cloud.
Backups
You must export all backups (for configurations, rulebases, and so on) to a secure location to ensure quick recovery in case of a failure. Secure backup is necessary due to the sensitive nature of the files (for configurations, rulebases, and so on) that might be restored to production systems for recovery.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved