Web.xml Parameters
The following are recommendations to secure TIBCO MFT Internet Server using the web.xml parameters.
admincc-service-enabled
This parameter enables Command Center Admin API REST calls. The default value is True. Only Command Center supports "admincc" calls. Only if this parameter is set to True, the Command Center Admin (admincc) API REST calls can be used.
admin-service-enabled
This parameter enables Admin API REST calls. The default value is True. Both Command Center and Internet Server (if Admin server is enabled) support "admin" calls. Only if this parameter is set to True, the Admin (admin) API REST calls can be used.
ft-service-enabled
This parameter enables file transfer API REST calls. The default value is True. Only Internet Server supports "ft" calls. Only if this parameter is set to True, the file transfer (ft) API REST calls can be used.
TLSCipherSuite
This parameter defines the ciphers used by MFT in any SSL/TLS connection. If during the installation, you select Use Secure Ciphers Only, then this parameter will be filled in with secure ciphers.
When the FTP service is started, it will display all secure ciphers allowed. You can select any ciphers from this list to be added to this parameter. Multiple ciphers should be delimited with a comma. This parameter applies to FTPS (FTP over SSL) and Platform Server SSL connections only. HTTPS connections use the parameters in the server.xml ciphers parameter.
TLSProtocols
This parameter allows you to define the TLS protocols that will be supported by FTPS and Platform Server SSL. The valid values are: TLSv1, TLSv1.1, and TLSv1.2.
By default, any TLS protocol is allowed. Before changing this parameter, make sure that all FTPS and Platform Server clients and servers support the defined TLS protocol. This parameter applies to FTPS (FTP over SSL) and Platform Server SSL connections only. HTTPS connections use the parameters in the server.xml SSLEnabledProtocols parameter.
SSHCipherSuite
Allows you to define the ciphers supported by MFT SFTP client and servers. When the MFT SFTP service is started, it will display all SSH ciphers allowed. You can select the ciphers that you want to support. Multiple ciphers should be delimited with a comma.
SSHKeyExchange
Allows you to define the SSH key exchange algorithms supported by MFT SFTP client and servers. When the MFT SFTP service is started, it will display all SSH key exchange algorithms allowed. You can select the key exchange algorithms that you want to support. Multiple key exchange algorithms should be delimited with a comma.
SSHDigestSuite
This Allows you to define the digest (hash) suites supported by MFT SFTP client and servers. When the MFT SFTP service is started, it will display all SSH digests allowed. You can select the digests that you want to support. Multiple digests should be delimited with a comma.
PasswordHashNew
This parameter allows you to define the password digest used by MFT. You should use the defined value SHA=256.
UnsecuredHTTPSupport
The default value No will not allow HTTP support. Only HTTPS will be accepted. Set this value to Yes only if you require HTTP support.
AllowedReferersForXferNavigation
This parameter adds HTTP referrer checking to the JSP pages that are used to navigate the directory tree structure. In addition to the URL, you should also add the loopback address. This parameter is defined in the web.xml file. This parameter only needs to be set in TIBCO MFT Internet Server instances. It is ignored in Command Center.
AllowedReferersAdminJSP
This parameter adds HTTP referrer checking to the admin JSP pages. In addition to the URL, you should also add the loopback address. This parameter only needs to be set in Command Center instances and in TIBCO MFT Internet Server instances where the admin service is installed.
DisplayFTPBanner
This parameter defined whether MFT will display FTP and SFTP banners. If this parameter is set to Yes, the admin Configure SSH Server and Configure FTP Server pages allows you to define the banners or welcome message displayed.
Anonymous
This parameter allows you to define whether user anonymous can be used without authenticating the password. If you enter the value anonymous in this parameter, you must also create a user called anonymous. Since the password is not validated, you should not give user anonymous access to any secure file or folders.
Redirect HTTP to HTTPS
Uncomment the following parameter from the web.xml file. This will automatically redirect HTTP requests to the HTTPS port.
<!-user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint->
SecurityFilter
This parameter helps to prevent framing and Clickjacking attacks. It indicates whether or not a browser should be allowed to render a page in a frame, iframe or object.
The value SAMEORIGIN will allow the browser to use the page in a frame as long as the server including it in a frame is the same as the one serving the page. By setting SecurityFilter to DENY, all attempts to load the page in a frame will fail. The default is SAMEORIGIN.