Server Bundle Host Security
When installing the server bundle, you will likely want to take steps to secure the installed directories and files so that unauthorized users on the machine do not have access to sensitive information.
Run-as User
You will likely want to create a system user specifically for running the server. This is recommended but not required. If you do, you should change the permissions on the installation directory and all of its included files and directories so that only this user has access to them.
Tomcat Configuration
You should change the Tomcat shutdown password from its default (
SHUTDOWN
) in
$COSMO_HOME/tomcat/conf/server.xml
:
<Server port="8005" shutdown="SHUTDOWN">
If necessary, change the permissions on
server.xml
so that only the user running Tomcat can read and write the file.
Data Store
Even if you choose not to set draconian permissions for the entire installation, you will want to protect your data store. The embedded Derby database is configured by default to store all content on the local filesystem, which could be inspected by external tools while the server is offline. Thus, if the data store is accessible to arbitrary users, they will be able to read data that is otherwise access-restricted.
The best policy is to change the permissions for the
db
directory and all of its contents so that only the user running Tomcat can read and write them.