Security considerations for IBM Rational Publishing Engine
- Enabling security during the install process
- Enabling secure communication between multiple applications
- Ports, protocols, and services
- Customizing your security settings
- Setting up user roles and access
- Privacy policy considerations
- Security limitations
Enabling security during the install process
- If you are using WebSphere® Application Server as your
application server, several security settings, such as administrative security and application
security, must be enabled when deploying Rational® Publishing Engine web
applications. For more information, see Deploying Document Builder.Warning: If you installed a WebSphere Application Server interim fix for PM44303 or a fix pack that contains PM44303, a potential security exposure exists with some versions of WebSphere Application Server. You must install a fix that is specific to your version of WebSphere Application Server and your operating system. For more information, see the Potential security exposure from IBM WebSphere Application Server impacts Rational Publishing Engine technote.
- If you are using Apache Tomcat as your application server, no required security settings must be set, although you can choose to set up the SSL configuration. For more information, see the SSL Configuration How-To information for version 6.0 or version 7.0 on the Apache Tomcat website.
- To learn more about how user names and passwords are stored, see the documentation for your application server.
After you deploy the Document Builder application, you can choose whether to enter a secure or nonsecure URL to the document generation . The secure URL is included in the documentation in this information center. For more information, see Document Builder URLs. If you choose to set up nonsecure document generation, any users can view the generated output documents, even if they do not have access to the data in the data source.
Enabling secure communication between multiple applications
Ports, protocols, and services
You can set up a proxy connection.
- The default port for WebSphere Application Server is 9043.
- The default port for Apache Tomcat is 8080.
- The default port for WebSphere Application Server is 9080.
- The default port for Apache Tomcat is 8080, unless you are using a port where the SSL is configured, and then the port number is usually 8443.
Rational Publishing Engine uses the DESede algorithm (Triple DES encryption) to encrypt passwords used in document specifications and templates. They are also encoded using the Base 64 encoder.
Customizing your security settings
User names and passwords for the web applications are not created automatically. Rational Publishing Engine requires user names and passwords for connecting to Document Builder, but not for using the Document Studio and Launcher client applications on your computer.
Data sources might require separate authentication for Rational Publishing Engine to access the data inside them. Verify the security of the data source and do not use untrusted data sources with Rational Publishing Engine. If your data source requires authentication, user names and passwords for data sources can be stored on the Rational Publishing Engine remote server, in document specification files, or in template files.
Passwords are encrypted in Rational Publishing Engine. When passwords are stored in template files and on the remote server, the characters are masked with bullets. When passwords are stored in document specification files, the characters are masked with bullets as they are being typed and are switched to asterisks after you move the cursor away from the value. If you open a document specification in a browser or XML editor, the password is encoded.
Templates or document specifications can be shared by either storing them in Document Builder or by sending them through a method outside of Rational Publishing Engine. Before sharing a template or document specification, you must decide whether to keep or remove the user name and password from the files. In most situations, removing the user name and password from the file is recommended. Even if the password cannot be identified because it is encrypted, other users can still generate documents that might include data that those users are not otherwise permitted to see.
Setting up user roles and access
Rational Publishing Engine has roles for administrators and users of the Document Builder application. An overview of the user roles is available in User roles for Document Builder.
Privacy policy considerations
This software offering does not use cookies or other technologies to collect personally identifiable information. For more information about cookies, see the Documentation notices for IBM Rational Publishing Engine.
Security limitations
- Nonsecure document generation: If you do not choose secure document generation, any user can view the generated output.
- Unsuccessful login attempts: Apache Tomcat does not lock out users after multiple unsuccessful attempts to log in.
- Sharing templates and document specifications: If credentials are not removed from shared templates and document specifications, users can generate documents on data that they might not otherwise have permission to access.
- Data source security: Data is secured by the application that stores it. Rational Publishing Engine does not secure data.