Novell iManager 2.7.5 Administration Guide - NetIQ
Novell iManager 2.7.5 Administration Guide - NetIQ
Novell iManager 2.7.5 Administration Guide - NetIQ
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• Do not use the NULL cipher suite in a production environment.<br />
• Do not use any cipher suite classified as LOW or EXPORT quality, because these are less secure.<br />
• Regularly review the list of trusted certificates, and limit the list of accepted Certificate<br />
Authorities to only those you are actually using<br />
More information for Tomcat is available at the Apache Tomcat Documentation Web site (http://<br />
tomcat.apache.org/tomcat‐4.1‐doc/index.html).<br />
NOTE: Because of the way that <strong>iManager</strong> interprets and uses data, there are no known risks of<br />
HTML‐based attacks such as cross‐site scripting.<br />
A.6 Encrypted Attributes<br />
<strong>iManager</strong> is able to securely read eDirectory 8.8 encrypted attributes. However, because of the way it<br />
determines if an attribute is encrypted, <strong>iManager</strong> does not securely modify or delete these encrypted<br />
attributes. The impact of this, which can result in some wire‐level data exposure, can be mitigated<br />
through normal network security practices such as the following:<br />
• Locating all <strong>iManager</strong> servers behind the firewall<br />
• Locating <strong>iManager</strong> servers physically near their associated eDirectory servers<br />
• Physically securing <strong>iManager</strong> and eDirectory servers<br />
• Requiring remote administrators to use a VPN to access <strong>iManager</strong> and eDirectory servers<br />
A.7 Secure Connections<br />
Although <strong>iManager</strong> leverages secure HTTP (SSL) for client communications, and secure LDAP<br />
connections between <strong>iManager</strong> and eDirectory servers, <strong>iManager</strong> does not, with the exception of<br />
reading encrypted attributes, utilize secure NCP connections for communications between <strong>iManager</strong><br />
servers and eDirectory servers.<br />
This is also true for the NCP connection used by Mobile <strong>iManager</strong>. The impact of this, which can<br />
result in some wire‐level data exposure, can be mitigated through normal network security practices<br />
such as the following:<br />
• Locating all <strong>iManager</strong> servers behind the firewall<br />
• Locating <strong>iManager</strong> servers physically near their associated eDirectory servers<br />
• Physically securing <strong>iManager</strong> and eDirectory servers<br />
• Requiring remote administrators to use a VPN to access <strong>iManager</strong> and eDirectory servers<br />
NOTE: Regardless of the wire‐level encryption being used, passwords are always encrypted and<br />
protected as part of the <strong>iManager</strong> authentication process.<br />
114 <strong>Novell</strong> <strong>iManager</strong> <strong>2.7.5</strong> <strong>Administration</strong> <strong>Guide</strong>