33.3 Securing the Vibe Site

33.3.1 Configuring a Proxy Server

Your Novell Vibe system should be located behind your firewall. If Vibe users want to access the Vibe site from outside your firewall, you should set up a proxy server outside your firewall to provide access. You can use Novell Access Manager to protect your Vibe site, as described in Configuring Single Sign-On with Novell Access Manager in Advanced Installation and Reconfiguration in the Kablink Vibe OnPrem 3 Installation Guide.

33.3.2 Setting the Vibe Administrator Password

The Vibe site is initially installed to allow administrator access by using the username admin and the password admin. The Vibe administrator password should be changed immediately after installation, as described in Accessing Your Basic Vibe Site as the Site Administrator in Basic Installation in the Kablink Vibe OnPrem 3 Installation Guide.

33.3.3 Setting Up SSL Connections

All communication with the Vibe site should be configured to use SSL connections, as described in:

33.3.4 Shortening the Vibe Session Timeout

By default, if a user’s Vibe session is idle for four hours (240 minutes), Vibe logs the idle user out. For increased security for your Vibe site, you can make the session timeout shorter, as described in Changing the Vibe Session Timeout in Advanced Installation and Reconfiguration in the Kablink Vibe OnPrem 3 Installation Guide.

33.3.5 Using Role-Based Access Control

Vibe controls all access to folders and entries by using role-based access controls. Vibe is intended to be used primarily for the sharing of information, so many default access rights tend toward allowing at least universal read access. For information on setting access controls for your Vibe site, see:

33.3.6 Monitoring Inbound E-Mail

You can configure Vibe to receive e-mail and post the messages as entries in a folder, as described in Enabling Inbound E-Mail in Basic Installation in the Kablink Vibe OnPrem 3 Installation Guide. Because e-mail is inherently unsecure, there is no way to be sure that the senders are who they claim to be. Entries posted by e-mail include the e-mail address of the sender to alert Vibe users about the origin of the postings.

33.3.7 Preventing Web Services Access

The default Vibe installation allows authenticated access via Web services, as described in Configuring Web Services in Advanced Installation and Reconfiguration in the Kablink Vibe OnPrem 3 Installation Guide. If you are not using Web services, you can disable them.

33.3.8 Controlling RSS Feeds

Because RSS readers are outside of the authentication Vibe system, the URL provided by Vibe for an RSS feed embeds some authentication information about the user. This means that the RSS URL must be protected and not shared between users. For this reason, RSS is not recommended for use on highly sensitive data. If necessary, you can disable RSS feeds for your Vibe site, as described in Managing RSS Feeds in Advanced Installation and Reconfiguration in the Kablink Vibe OnPrem 3 Installation Guide.

33.3.9 Securing Mirrored Folders

Mirrored folders make files that are stored on a file system available to users on the Novell Vibe site. Two levels of security are provided for mirrored folder access:

33.3.10 Securing the Vibe Site from XSS

Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Vibe contains a built-in security filter that protects against XSS vulnerabilities. This security filter is enabled by default.

The XSS security filter protects the Vibe site from XSS in two key areas:

  • Text and HTML fields in entries and folders

  • Uploaded HTML files

It is possible to disable the XSS security filter for the entire site for each of these areas by copying the appropriate lines from the ssf.properties file, pasting them into the ssf-ext.properties file, then changing the values of the lines to false. The lines in the ssf.properties file that are responsible for enabling and disabling the XSS security filter are:

  • xss.check.enable

  • xss.content.filter.file.extensions

IMPORTANT:Because of the serious nature of XSS attacks, we strongly recommend that you do not disable the XSS security filter for the entire site. If there are certain users who need to upload information to the Vibe site, you can grant those users access to bypass the XSS security filter, as described in Section 14.5.4, Enabling Users to Bypass the XSS Security Filter.

For more information about XSS, see Section 14.5, Enabling Users to Add JavaScript and Other Restricted Content by Modifying Cross-Site Scripting Settings.