Skip to content

Containers

HCL Digital Experience 9.5 and future releases ship docker images, all of which are based upon the secure Red Hat UBI image and were built as non-root user.

Container deployments may provide improved security, especially relating to physical security, availability, key management services, and CI/CD.

If you plan to deploy one or more of these, then consider the following –

  • Trust boundaries & responsibilities:

    • When moving from a traditional on-premise deployment to a hybrid or fully containerized deployment, you must clearly delineate responsibilities.

    • All cloud service provider responsibilities should be verified by the provider – do not only assume the scope of their role in security.

    • Establish responsiveness criteria from the service provider.

  • Establish a procedure for asset management. In cloud environments, the simplicity of provisioning comes at a cost – provisioned resources may be forgotten, creating a larger attack surface. Ensure that assets are decommissioned when they are no longer needed.

  • These images use the default administrator ID and password in the file based repository. Update the Portal and WebSphere Application Server administrative IDs and passwords so that they are not the defaults. Refer to the Odds and Ends section regarding recommendations against using the file repository in production.

  • Consider routing external requests for sensitive URLs, like the IBM WebSphere Application Server Integrated Solutions Console, Configuration Wizard, and API explorer, to an error message, to guard against platform profiling, probing, brute force password attacks, etc. One option would be to add an ingress rule - refer to instructions on configuring ingress and external documentation on ingress rules.

  • The HCL Digital Experience Operator container is only leveraged with version 9.5 for Red Hat OpenShift deployments and the best practices for Red Hat OpenShift security should be followed to ensure a secure deployment.

    • Basics

    • As with other fundamental technologies, the recommendations in this guide are not comprehensive. Independently research security hardening guidelines for Red Hat OpenShift.

  • Set cspFrameAncestorAllowedSourceURLs to guard against clickjacking attacks.

  • Set SameSite Cookie Attribute for added protection of DX Core cookies.

  • Configure HCL Digital Experience API to connect to HCL Portal via HTTPS.

  • For more information on container security, start here and continue researching independently.