Hardening Your Installation
Hardening refers to the steps one must perform in order to bring an application from development into production. These consist of a collection of techniques, and best practices to reduce vulnerability in your applications, systems and infrastructure.
Usually, an IT organization already has control over the standard approaches, such as keeping open ports to a minimum, and restricting access to administrative applications.
In the section we will not be focusing on hardening directives that are cross-cutting to any application, instead we will focus on specific actions required and recommend to secure eSign in a productive environment.
Hardening Checklist
The following actions must be applied for hosting an eSign instance on premises:
-
Run eSign application server as a non-privileged user.
-
Disable default users (security.local.defaults: false) and create your own (applicable if using eSign’s default authentication) (see: Local Authentication)
-
Install your own encryption key (for biometry encryption). This is a crucial step, by default eSign will encrypt biometric data with a key that is NOT unique to your organization.
-
Install your own signing certificate. Necessary eSign documents to apply digital signatures of your institution.
-
Configure eSign to write logs to appropriate location. Be sure to point to a volume that will not run out of space, or if it does will not compromise the eSign instance.
-
Configure HTTPS connection up to eSign application server. To ensure that sensitive information is not compromised, encrypted channels must be ensured even in your intranet.
-
Configure an independent database for analytics. See guide here: Tuning Analytics Database.