The following is a basic set of hardening guidelines for Business Service Insight. This list is by no means complete.
The Oblidbadmin account is only needed for upgrading Business Service Insight and installation of patches. So you may disable/enable this account as and when required.
For websites please see steps below; these detailed instructions can also be found in the BSI Admin Guide under header “Enable Content Transfer for SSL”
Configure the JBOSS Server
Valid for JBOSS 7.1.1
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="SSL_NAME" password="SSL_PASSWORD" protocol="TLSv1" key-alias="SSL_ALIAS" certificate-key-file="${jboss.server.config.dir}/key.keystore" />
</connector>
...
</subsystem>
Note: For the key file path, use either the absolute path or the system properties. The default location is $JBOSS_HOME/standalone
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">
<socket-binding name="https" port="8443"/>
</socket-binding-group>
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
<domain uri="https://*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
Configure IIS
Configure the Website
For ACE2, you can disable tomcat on the APP server.
With regards to firewalls please reference “Admin Guide” https://docops.ca.com/ca-business-service-insight/8-3-5/en/installation/communication-protocols-overview