Recommendations and Information for Requirement 2.1
- Change the default iWay Service Manager (iSM) Administrative Console credentials or enable the integration with external
role or user management systems such as AD/LDAP, which can be used for authentication and authorization for the iSM Console.
Recommendations and Information for Requirement 2.2.1
- Develop the applications in the modular approach so that different
applications can be deployed utilizing different security models and
having access to different systems.
- Modular development of applications and
segregation of business functions into separate applications
ensures that if there is a need for a security model update, only
relevant applications with business functions are
impacted.
Recommendations and Information for Requirement 2.2.2 and 2.2.3 and 2.2.4
- Secure the iSM Administrative Console by enabling HTTPS access and defining Access Control Lists for user management.
- Ensure that any application logic utilizing externally visible protocols such as HTTP, SOAP, AS2, and Queuing protocols,
has proper security settings in place.
- Keep the relevant security files such as Keystores, Truststores, and others, in a secure location accessible only to Security
personnel.
- Ensure that all system access credentials are accessible only by authorized users during the development life cycle.
Recommendations and Information for Requirement 2.2.5
- In a production environment, an iWay application does not require any other iWay component to run. It is a self-contained
application, which runs in a java process. For Windows Services,
it can run either an in-Java Process or an out-of Java Process.
- Production iWay applications should not contain any test jars, unnecessary scripts, or any third-party components, unless
they are required for an application to run and execute business logic.
- Production applications should not contain any properties files, which were used during development to store and retrieve
configuration values. Production applications should be packaged with production level properties files and any other relevant
configuration properties. The values in the properties files can be encrypted for storage.
- Production applications should be deployed with a proper deployment template, which contains the definition for any external
connectivity to the systems.
- The
minimal environmental requirement for an iWay application to run
is Java Virtual Machine version 8.
Recommendations and Information for Requirement 2.3 and 2.5
- Deployed iWay applications do not require external access, except
for the monitoring purposes.
- The iWay Service Manager Administrative Console used for monitoring
applications, should be HTTPS enabled.
- The defaults for iSM Administrative Console
access are documented and should be changed by the user.