Please follow the following best practices:
- Lock down access by creating an ACL or Security Group to block access from the Internet
- Create a read-only user for use by developers who need to view logs for monitoring
- Set the admin password to a secure password
- If you wish to have logs strip the actual SQL queries, in the VDB, you can set the vdb setting of "paranoia" to true
- With proxy authentication disabled for Postgres and SQL Server, password passthrough is enabled, so the Database takes care of password authentication. This is not supported for MySQL, as the password is required to be hashed. If authentication is disabled, then for MySQL, it will simply use the data source's configured username and password for authentication.
- Lock down the interface with HTTPS:
To enable HTTPS, on the Linux command line, do the following (this will generate a self-signed certificate):
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore /opt/heimdall/keystore.p12 -validity 3650 Enter keystore password: <use "heimdall"> Re-enter new password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes
Once done, restart the heimdall server, and port 8443 will be used for HTTPS.
Please see the man page for keytool for importing in an existing SSL certificate if desired.