Secure the server
You can set up secure communication between clients and servers as well as between servers.
-
Communication between clients and servers can be secured using the SSL protocol, which you specify when connecting to the server. See SSL encrypted connections.
Communication between clients and servers can also be secured using a firewall. For more information, see Firewalls.
- User authentication can be done using passwords or tickets, and the strength of the password can be defined by an administrator. Users can be authenticated against an Active Directory or LDAP server, or against an internal Helix Core Server user database. See Authentication options.
- Access is defined using "protections" that determine which Helix Core Server commands can be run, on which files, by whom, and from which host. See Access authorization.
- Communication between servers in a multi-server environment can be secured using a "trust file", and by setting "protections" for the service users that own the different servers in the environment. For more information, see Create commit and Edge Server configurations.
Before you can configure access and authentication, you must create users as described in Users.
Recommended settings to configurables for security
After installing Helix Core Server, it is good practice to set the following configurables:
Purpose |
Configurable |
Value |
---|---|---|
For each user's initial password: ensure that only users with the super access level A permission assigned to a user to control which commands the user can run. See also the 'protections' entry in this glossary and the 'p4 protect' command in the Helix Core Command-Line (P4) Reference., and whose password is already set, can set an initial password. |
dm.user.setinitialpasswd | 0
|
Require ticket-based authentication. | security | 3 or 4 |
Force new users that you create to reset their passwords. | dm.user.resetpassword | 1
|
Prevent the automatic creation of new users. | dm.user.noautocreate | 1 or 2 |
Hide sensitive information from unauthorized users of p4 info . |
dm.info.hide | 1
|
Hide user details from unauthenticated users. | run.users.authorize | 1
|
Hide that an authentication failure is due to the username being incorrect. | dm.user.hideinvalid | 1
|
Hide information contained in 'keys' from those who lack admin access. One use case is Hiding Swarm storage from regular users. |
dm.keys.hide | 2
|
Programmatic security
The Helix Core Downloads include APIs for C++ and various scripting languages. When writing programs that communicate with Helix Core Server, consider using the appropriate supported API for both security and runtime efficiency, rather than a wrapper around the p4 command-line client executable.