For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Security configuration for IBM MobileFirst Platform Foundation on IBM Containers

Your IBM MobileFirst™ Platform Foundation on IBM® Containers security configuration should include encrypting passwords, enabling application authenticity checking, and securing access to the consoles.

Encrypting passwords

Store the passwords for MobileFirst Server users in an encrypted format. We can use the securityUtility command available in the Liberty profile to encode passwords with either XOR or AES encryption. Encrypted passwords can then be copied into the /usr/env/server.env file. See Encrypting passwords for user roles configured in MobileFirst Server for instructions.

Application-authenticity validation

To keep unauthorized mobile applications from accessing the MobileFirst Server, enable the application-authenticity security check. Learn more...

Configure SSL for Operations Console and Analytics Console

We can secure access to the MobileFirst Operations Console and the MobileFirst Analytics Console by enabling HTTP over SSL (HTTPS) on the MobileFirst Server.

To enable HTTPS on the MobileFirst Server, create the keystore containing the certificate and place it in the usr/security folder. Then, update the usr/config/keystore.xml file to use the keystore configured.

Securing a connection to the back end

If you need a secure connection between your container and an on-premise back-end system, we can use the Bluemix® Secure Gateway service. Configuration details are provided in this article: Connecting Securely to On-Premise Backends from MobileFirst on IBM Bluemix containers.

• Encrypting passwords for user roles configured in MobileFirst Server
  The passwords for user roles that are configured for the MobileFirst Server can be encrypted.
• Securing container communication using a private IP address
  To have secure communication between the MobileFirst Server container and the MobileFirst Analytics container, we must include the private IP address of the MobileFirst Analytics container in the mfpfProperties.xml file.
• Restrict access to the consoles running on containers
  We can restrict access to the MobileFirst Operations Console and the MobileFirst Analytics Console in production environments by creating and deploying a Trust Association Interceptor (TAI) to intercept requests to the consoles running on IBM Containers.

Parent topic: Securing containers