Administering : Security considerations for Focal Point®
  
Security considerations for Focal Point®
Focal Point® provides certain features and capabilities to make sure that the application security is not compromised. You can take actions to ensure that your installation is secure, customize your security settings, and set up user access controls. You can also ensure that you know about any security limitations that you might encounter with this application.
See
Enabling security during the install process
Enabling secure communication between multiple applications
Ports, protocols, and services
Customizing your security settings
Setting up user roles and access
Cookies
Security limitations
Enabling security during the install process
Support for HTTPS: Focal Point® 6.6 and later provides the option to install Apache Tomcat 7.0 server along with the Focal Point® application. The bundled Tomcat 7.0 has HTTPS enabled, by default. For previous versions of Focal Point®, users can enable HTTPS by securing an SSL certificate and making the required configuration changes. See Enabling HTTPS.
Support for silent installation and uninstallation: Focal Point® can be installed silently, through the command line interface, by specifying the installation inputs in a response file. Sample response files are provided. The parameters in the sample response files can be modified based on the user environment.
Multiple authentication methods: User validation and authentication measures ensure that the application is accessed and used only by registered Focal Point® users with a valid license. Administrators can specify the authentication method to be used. Focal Point® supports standard authentication, the Rational Directory Server and the web single sign-on authentication methods. See Authentication in Focal Point® and User types and access levels.
Support for LDAP server: To use an LDAP server to retrieve user data, see “Enabling an LDAP server”.
Enabling secure communication between multiple applications
Global administrators of Focal Point® can enable Web Single Sign-On (Web SSO) by running SQL commands in the SQL interface. See Enabling Web Single Sign-On and Effects of enabling Web Single Sign-On.
Focal Point® supports two authentication types, Basic and OAuth, while adding an application as a friend in Focal Point®.
Ports, protocols, and services
Focal Point® 6.6 and later provides the option to install Apache Tomcat 7.0 server along with the Focal Point® application. The Apache Tomcat application server is installed with HTTPS enabled. If you are using the Tomcat server that is provided with Focal Point®, the default port number used for http connection is 9080 and the default port number for https connection is 9443. Update the port numbers in the server.xml file that is in the Tomcat install directory\conf location to use the port number that you need for Focal Point®.
Ping servlet access: Basic HTTP authentication and client network address filtering can be used to enable or disable access to a ping servlet. See Enabling access to the ping servlet.
Customizing your security settings
Application security settings: Focal Point® administrators can configure the security settings related to application login, and password management. Administrators can also decide on the level of password protection required, based on their respective organization’s security guidelines. In Focal Point® 6.6.1 and later, the way the secure user credentials are handled has been further enhanced to increase protection from offline attacks. See Security settings.
Safe error messages: The application error messages do not display any sensitive information about the application or the users. This feature prevents malicious users from gaining access to important information that might be displayed as part of the error message.
Setting up user roles and access
Focal Point® provides predefined user types and access levels that can be selected while configuring Focal Point® users. User types and access levels can be used to configure the privileges and permissions for application users. See User types and access levels and Workflow: User types and tasks.
Note User types are related to licenses. If you purchased user-based licenses, make sure that the number of users of a certain type do not exceed the number of licenses. If you purchased floating licenses, make sure that you have enough licenses of a certain user type to cover the corresponding usage.
Cookies
This software offering does not use cookies or other technologies to collect personally identifiable information.
Security limitations
If you are using a version of Focal Point® prior to version 6.6 with Tomcat as the application server, HTTPS is not enabled by default. You can enable HTTPS by securing an SSL certificate and making the required configuration changes. See Enabling HTTPS.
See also
Administering Focal Point®