General Suggestions

Follow these general suggestions for securing TIBCO MFT Internet Server.

JAVA System Security

Use the newest Java JDK that is supported by the product. Do not use the GNU Java that is shipped with some Linux instances. Use the Oracle or IBM Java that is appropriate for your MFT instance.

Setting Cookies to HTTPOnly

By default, HTTPOnly is not set for MFT server generated cookies. Cookies created by the MFT Application will be set to HTTPOnly when the cookie is not used by client javascript code. Cookies that do not specify HTTPOnly contain no security or private information.

Locate the usehttponly parameter in the following file:

MFTIS_Install/server/conf/catalina/localhost/web.xml

Set usehttponly="true"

Configuring the Session Timeout

The session timeout is set to 30 minutes by default. This is good for most installations. If you need to change this, you must make the following two changes:

  • The session-timeout parameter in MFTIS_install/server/conf/web.xml
  • The SessionTimeOut parameter in MFTIS_install/webapps/cfcc/WEB-INF/web.xml

Certificate Authentication

MFT Supports certificate authentication for the following protocols:

  • Platform Server SSL
  • SFTP
  • FTPS
  • HTTPS

Whenever possible, use Certificate Authentication. Certificate Authentication is relatively simple to set up on SFTP, Platform Server and FTPS.

It is much more complicated on HTTPS, because you need to update the certificate manager and select a certificate for the browser. Because of the difficulty in implementing HTTPS certificate authentication, you are not recommended to use this.

Two Factor Authentication

MFT supports the Radius protocol. Some token providers allow access to their servers through the Radius protocol. MFT can be configured through the web.xml file to support Radius. When Radius is turned on, all password validation that the MFT instance uses is sent to the Radius sever.

You can define users that are excluded from Radius password checking; these users will be authenticated through standard DB or LDAP authentication.

Users/Passwords

  • As soon as the product is installed, change the password for the admin and for other predefined users.
  • Disable any predefined users that you will not be using.
  • You can configure the time of day and days of the week that users can access the system.
  • You can configure an IP address for a user that will limit the user to log on to MFT only from that IP address.

Anonymous Access

Use anonymous access with great care. Anonymous users should not be given rights to upload or download sensitive data.

End User Education

  • When the browser offers to save MFT password, users should say no.
  • After using MFT, users should log off and close the browser.
  • Users should not use MFT and browse other web sites at the same time.

Security

For SSH, we recommend that all partners use SHA-256/384/512 with a key size of 2048 bits or higher.

For PGP, we recommend that all partners use SHA-256/384/512 with a key size of 2048 bits or higher.