Chapter 45. Security Recommendations for CloverDX Server

    To improve security of CloverDX Server, you should:

    • Change the default password for clover user. Without changing the password, everybody would be able to log in as clover. See Change Users Password.

    • Create a user different from clover and add it to the admin group. If there are more administrators, create a user account for each. See Users.

    • Set the master password. Without the master password, you cannot use secure parameters. See Chapter 20, Secure Parameters.

    • Run CloverDX Server with privileges of an ordinary user, e.g. create a system account clover used only for running CloverDX Server. Do not run CloverDX Server under the root account.

    • Communication with system database may be unencrypted. Consider encrypting the connection to system database too.

    • If database provides you with a root/admin account, do not use this account for CloverDX Server. Create a separate database user account, e.g. clover.

    • Run CloverDX Server on HTTPS. If you communicate over HTTP, your data is sent unencrypted and eavesdroppers can easily see it.

    • Disable the HTTP API if you do not need it. See Chapter 36, Simple HTTP API.

    • In Data Services, put keystores outside a sandbox and run the service on HTTPS. If you have a keystore in a sandbox, a user with write permissions could replace it with another key store. HTTPS Connectors.

    • Enable user lockout after repeated failed login attempts. If you use this feature in Cluster, make sure that all cluster nodes have the same lockout configuration. See User Lockout