Hardening Your Installation

Hardening refers to the steps one must perform in order to bring an application from development into production. These consist of a collection of techniques, and best practices to reduce vulnerability in your applications, systems and infrastructure.

Usually, an IT organization already has control over the standard approaches, such as keeping open ports to a minimum, and restricting access to administrative applications.

In the section we will not be focusing on hardening directives that are cross-cutting to any application, instead we will focus on specific actions required and recommend to secure eSign in a productive environment.

Hardening Checklist

The following actions must be applied for hosting an eSign instance on premises:

  • Run eSign application server as a non-privileged user.

  • Install eSign as a service.

  • Configure eSign persistence mode to hibernate, ensuring that all persistence is stored at a database level.

  • Install your own encryption key (for biometry encryption). This is a crucial step, by default eSign will encrypt biometric data with a key that is NOT unique to your organization.

  • Install your own signing certificate. Necessary eSign documents to apply digital signatures of your institution.

  • Configure eSign to write logs to appropriate location. Be sure to point to a volume that will not run out of space, or if it does will not compromise the eSign instance.

  • Configure HTTPS connection up to eSign application server. To ensure that sensitive information is not compromised, encrypted channels must be ensured even in your intranet.

  • Configure eSign services default authentication to a stronger method

Authentication Configuration

The following example configures the authentication to use a basic authentication addin but one could and should choose the best authentication method for their use case.

Setting up a basic authentication extension:

First we setup our custom basic authentication with the user "custom" and the encrypted password "custom" and then another instance with "dashboard/dashboard".

	"extensions": [
        ...
        {
            "name": "authentication-basic-custom",
            "class": "novabase.connect.paperless.esign.core.extensions.impl.BasicAuthenticationAddin",
            "params": {
                "user": "custom",
                "password": "${enc:nUyefoFMmKilWMpr4j0FCw==}"
            }
        },
        {
            "name": "authentication-basic-dashboard",
            "class": "novabase.connect.paperless.esign.core.extensions.impl.BasicAuthenticationAddin",
            "params": {
                "user": "custom",
                "password": "${enc:qQDUDq3tMw7UHKCNNV7j4MT1HrVcie2m}"
            }
        }
        ...
    ]

Setting up this new extension for usage

Then we setup the new configured extensions to be used by the different pages/services:

	"properties": [
        ...

        "server.authenticate.services": true,
		"server.authenticate.services.extension": "authentication-basic-custom",
		"server.authenticate.dashboard": true,
		"server.authenticate.dashboard.extension": "authentication-basic-dashboard",
		"server.authenticate.compliance": true,
		"server.authenticate.compliance.extension": "authentication-basic-custom"

        ...
    ]