General Suggestions

Follow these general recommendations to secure TIBCO MFT Command Center.

Java System Security

Use the newest Java JDK that is supported by the product.

Do not use GNU Java that is shipped with some Linux instances. Use Oracle Java or IBM Java that is appropriate for your MFT instance.

Setting Cookies to HTTPOnly

By default, HTTPOnly is not set for MFT server generated cookies. Cookies created by the MFT Application will be set to HTTPOnly when the cookie is not used by client javascript code. Cookies that do not specify HTTPOnly contain no security or private information.

Set the usehttponly parameter in the web.xml file which is located in the MFTIS_Install/server/conf/catalina/localhost directory to true.

Configuring the Session Timeout

The session timeout is set to 30 minutes by default. This is good for most installations. If you need to lower this, you must make the following two changes: :
  • The session-timeout parameter in the web.xml file located in the MFTIS_install/server/conf directory
  • The SessionTimeOut parameter in the web.xml file located in the MFTIS_install/webapps/cfcc/WEB-INF directory

Certificate Authentication

MFT supports certificate authentication for the following protocols:

  • Platform Server SSL
  • SFTP
  • FTPS
  • HTTPS

Whenever possible, use certificate authentication. Certificate authentication is relatively simple to set up on SFTP, Platform Server, and FTPS. It is much more complicated on HTTPS, because you need to update the certificate manager and select a certificate for the browser. Because of the difficulty in implementing HTTPS certificate authentication, it is good practice not to use this.

Two Factor Authentication

MFT supports RADIUS protocol. Some token providers allow access to their servers through RADIUS protocol. MFT can be configured through the web.xml file to support RADIUS protocol. When RADIUS protocol is turned on, all password validation of the MFT instance is sent to the RADIUS sever. You can define users that are excluded from RADIUS password checking; these users will be authenticated through standard database or LDAP authentication.

Users/Passwords

After the product is installed,
  • Change the password for the administrator and for other predefined users.
  • Disable any predefined users that you do not use.
  • Optional: Configure time of a day and days of the week that users can access the system.
  • Optional: Configure an IP address for a user that limits the user to log on to MFT only from that IP address.
  • Set the System Configuration: Global Settings: Email Template Settings Login from Different IP Template parameter so that MFT sends an email if the user logs on with a different IP address. MFT saves the last 10 IP addresses that the user logged on from. If the user logs on with a different IP address, an email is sent to the user, assuming the user is configured with an email address. See the System Configuration help page for more information on this parameter.

Anonymous Access

You must not give anonymous users rights to upload or download sensitive data.

End User Education

  • When the browser offers to save MFT password, you should select No.
  • After using MFT, you have to log off and close the browser.
  • You should not use MFT and browse other website at the same time.

Security

  • For SSH, we recommend that all partners use SHA-256/384/512 with a key size of 2048 bits or higher.
  • For PGP, we recommend that all partners use SHA-256/384/512 with a key size of 2048 bits or higher.