15.2 Security Characteristics

QuickFinder Server communicates using port 80 for normal searches, port 443 for rights-based searches and to log in (controllable by the administrator), and port 2200 on NetWare for administration (also controllable by the administrator). On Linux, QuickFinder uses port 443 for administration (also controllable by the administrator). QuickFinder Server’s Highlighter and Print servlets can use whatever port a URL was originally crawled on.

When crawling a Web site, QuickFinder Engine uses port 80 for most Web sites and port 443 for most HTTPS-based Web sites. However, the actual ports are controlled by each Web site administrator. If a Web site is password-protected, user credentials can be configured by the search administrator when he or she defines the indexes. These credentials are sent with the URLs requested.

When indexing a File System, the QuickFinder Server engine only indexes what it has rights to see. On NetWare, it has full access to all mounted volumes. On Linux, it has rights to only the files that the novelwww user (within the www group) has rights to see. QuickFinder cannot control what user is used to run QuickFinder Server; it simply runs with whatever user the Tomcat servlet engine was launched with. QuickFinder also adds the novelwww user to the shadow group, which allows QuickFinder Server and QuickFinder Engine to determine if a user is a valid user through PAM.

When synchronizing indexes, configuration settings, and search templates between QuickFinder servers, QuickFinder Server uses either port 80, port 443, or port 2200 when communicating, controlled by the administrator. Administrators can also optionally configure the synchronization to require administrator credentials and HTTPS communications.

Anyone that logs in as a valid user via eDirectory on NetWare and PAM (possibly eDirectory) on Linux and has write rights to the specified qfind.cfg file (/var/lib/qfsearch/Sites/qfind.cfg on Linux and sys:/qfsearch/sites/qfind.cfg on NetWare) can administer QuickFinder.

QuickFinder Server was originally designed to be capable of hosting search services for multiple independent organizations (possibly completely different enterprises). After an administrator has gained entry to QuickFinder Manager (through the specific virtual search server he or she has rights to), he or she then has administrative rights to all of the other virtual search servers.

On the searching side, QuickFinder Server does not usually perform rights-based searching. However, using QuickFinder Manager, administrators can configure any index to restrict access to the search results within it (only the ability to see results on the search results pages, not access to them). After an administrator has configured an index to perform rights-based searching, approximately the same logic as for administering the product is performed: users are authenticated by eDirectory on NetWare and PAM (possibly eDirectory) on Linux and individual files are authorized based on users’ individual read rights to various files in the file system.