Your Novell Vibe system should be located behind your firewall. If Vibe users want to access the Vibe site from outside your firewall, you should set up a proxy server outside your firewall to provide access. You can use Novell Access Manager to protect your Vibe site, as described in Configuring Single Sign-On with Novell Access Manager
in Advanced Installation and Reconfiguration
in the Kablink Vibe OnPrem 3 Installation Guide.
The Vibe site is initially installed to allow administrator access by using the username admin and the password admin. The Vibe administrator password should be changed immediately after installation, as described in Accessing Your Basic Vibe Site as the Site Administrator
in Basic Installation
in the Kablink Vibe OnPrem 3 Installation Guide.
All communication with the Vibe site should be configured to use SSL connections, as described in:
By default, if a user’s Vibe session is idle for four hours (240 minutes), Vibe logs the idle user out. For increased security for your Vibe site, you can make the session timeout shorter, as described in Changing the Vibe Session Timeout
in Advanced Installation and Reconfiguration
in the Kablink Vibe OnPrem 3 Installation Guide.
Vibe controls all access to folders and entries by using role-based access controls. Vibe is intended to be used primarily for the sharing of information, so many default access rights tend toward allowing at least universal read access. For information on setting access controls for your Vibe site, see:
You can configure Vibe to receive e-mail and post the messages as entries in a folder, as described in Enabling Inbound E-Mail
in Basic Installation
in the Kablink Vibe OnPrem 3 Installation Guide. Because e-mail is inherently unsecure, there is no way to be sure that the senders are who they claim to be. Entries posted by e-mail include the e-mail address of the sender to alert Vibe users about the origin of the postings.
The default Vibe installation allows authenticated access via Web services, as described in Configuring Web Services
in Advanced Installation and Reconfiguration
in the Kablink Vibe OnPrem 3 Installation Guide. If you are not using Web services, you can disable them.
Because RSS readers are outside of the authentication Vibe system, the URL provided by Vibe for an RSS feed embeds some authentication information about the user. This means that the RSS URL must be protected and not shared between users. For this reason, RSS is not recommended for use on highly sensitive data. If necessary, you can disable RSS feeds for your Vibe site, as described in Managing RSS Feeds
in Advanced Installation and Reconfiguration
in the Kablink Vibe OnPrem 3 Installation Guide.
Mirrored folders make files that are stored on a file system available to users on the Novell Vibe site. Two levels of security are provided for mirrored folder access:
When you create mirrored folder resource drivers, as described in Configuring Mirrored Folder Resource Drivers
in Advanced Installation and Reconfiguration
in the Kablink Vibe OnPrem 3 Installation Guide, you can choose read-only access or read/write access. In addition, you can identify specific Vibe users and groups that are allowed access to the mirrored folder resource drivers.
When you set up the mirrored folders on the Vibe site, as described in Section 12.0, Setting Up Mirrored Folders in this guide, you can set access controls on the Mirrored File folder.
Cross-site scripting (XSS) is a client-side computer attack that is aimed at Web applications. Because XSS attacks can pose a major security threat, Novell Vibe contains a built-in security filter that protects against XSS vulnerabilities. This security filter is enabled by default.
The XSS security filter protects the Vibe site from XSS in two key areas:
Text and HTML fields in entries and folders
Uploaded HTML files
It is possible to disable the XSS security filter for the entire site for each of these areas by copying the appropriate lines from the ssf.properties file, pasting them into the ssf-ext.properties file, then changing the values of the lines to false. The lines in the ssf.properties file that are responsible for enabling and disabling the XSS security filter are:
xss.check.enable
xss.content.filter.file.extensions
IMPORTANT:Because of the serious nature of XSS attacks, we strongly recommend that you do not disable the XSS security filter for the entire site. If there are certain users who need to upload information to the Vibe site, you can grant those users access to bypass the XSS security filter, as described in Section 14.5.4, Enabling Users to Bypass the XSS Security Filter.
For more information about XSS, see Section 14.5, Enabling Users to Add JavaScript and Other Restricted Content by Modifying Cross-Site Scripting Settings.