Installation
The following are recommendations for securing TIBCO MFT Internet Server at installation.
Installation User on UNIX
Install as a non-root or unprivileged user. When you want to use ports below 1025, use the UNIX iptables command to redirect these ports to ports 7443 and 7080. See Installation Requirements for more details.
Provide only the necessary rights to update the MFTIS_ Install directory and any directories where *LOCAL data will be saved.
Installation User on Windows
Install as a normal user (non admin). Normal users should be able to use ports below 1024. Provide only the necessary rights to update the MFTIS_ Install directory and any directories where *LOCAL data will be saved.
Securing the JDBC connection
If possible, configure the JDBC driver to use SSL/TLS. Contact your database admin for instructions on how to do this.
Using Secure Ciphers
During the installation procedure, you are prompted to use only secure ciphers. Use the default value of secure ciphers.
This ensures that only secure ciphers will be accepted during SSL negotiation. This applies to the HTTPS connections as well as the FTPS and Platform Server SSL connections.
Admin Service
Do not install the MFT Admin Service on computers located in the DMZ. Only install the MFT Admin Service on computers in the internal network.
HTTPS Certificate
Purchase an HTTPS SSL certificate from a well known certificate authority. The default certificate is a self-signed certificate and will prompt browser users a warning that the certificate is not trusted. When creating a keystore, use a strong password. Do not use the default password.
The MFT Java Applet is now signed with a TIBCO Certificate so that you no do not need to sign the MFT Java Applet.