Overview
By default, most of the Attivio platform is configured to be open with unsecured transports and data. If a more secure configuration is desired, there are four areas of Attivio which can be secured: Transport, JMX, Webapps, and Content. Attivio may be configured to access secured data sources.
View incoming links.
Transport Security
API calls to Attivio, as well as communication among Attivio nodes, is done with unencrypted, unsecured HTTP calls. These HTTP endpoints can be secured by implementing basic HTTP authentication, requiring a configurable username and password. If transmission of these password or the data must be secured, then Attivio can be configured to use HTTPS, forcing encrypted communication among Attivio components.
See Transport Security and Ports for configuration details.
JMX Security
In order to support remote/automated monitoring of Attivio, a JMX web console and a JMX RMI registry are exposed. The JMX transport can be secured with a configurable username and password. The JMX transport can also be configured to use HTTPS for encrypting content.
See JMX Security and Configuration for configuration details.
Attivio Web Application (webapp) Security
Most of Attivio's web pages, like the Administrative Console, are unencrypted and unsecured by default. Attivio webapps can be secured, requiring BASIC username and password authentication, by configuration an authentication provider and setting it as the default for all Attivio webapps, or specifying it on individual webapps. All Attivio webapps also use unencrypted HTTP by default, but this can be modified by enabling HTTPS on webapps via the Jetty configuration.
See Attivio Web Application (webapp) Security for adding username and password authentication to webapps as well as setting up HTTPS encryption.
Also see notes on the Attivio Administrative Users for administrative (root) user access.
Content Security
If content which is ingested in an Attivio index must be secured, then Content Security, via the security module, is required. Using the Attivio Security Model, each document indexed in the system can have an Access Control List (ACL) describing the individuals and groups who have permission to view that document. Each query performs a JOIN between the user's credentials and the ACLs of matching documents. The index engine returns only the documents that the user has permission to view. See Content Security for more details on how document security is configured and how it works.
Accessing Secured SQL Data Sources
If Attivio will be accessing secured SQL Data sources through the JDBC/ODBC client, then the authentication for that data source can be configured by adding an authentication-provider-ref attribute to the fsql:catalogs element in the <project-dir>/conf/features/sqlsdk/SqlModel.index.xml file, with its value set to the name of an Active Directory Authentication Provider, XML Authentication Provider, LDAP Authentication Provider, or custom authentication provider bean. The specified authentication provider will be used to authenticate JDBC and ODBC connections to the project's SQL data.
In this example, the the attribute value "defaultAuthenticationProvider" points to the Active Directory Authentication Provider bean named "defaultAuthenticationProvider" (which is defined in the <project-dir>/conf/bean/defaultAuthenticationProvider.xml file):
<fsql:catalogs defaultCatalog="dynamic" defaultSchema="tables" enabled="true" featureNameSource="index" index="index" jvmOptions="-Xmx1024m" mode="dynamic" authentication-provider-ref="defaultAuthenticationProvider">
Attivio Administrative Users (aieadmin)
By default, Attivio creates one root user called aieadmin with password "attivio". These users have access to all parts of Attivio. See Attivio Administrative Users for more information on this user.
Attivio is only as secure as the network, hardware and operating system security of its environment. Please follow best practices with regard to infrastructure security. For example, in extremely sensitive environments, you should restrict network access to and from any machine running Attivio, in addition to implementing most or all of the Attivio security described below.