Databases

ActivID CMS leverages databases for storing data and configuration information. All sensitive data is encrypted using a key generated and stored in the HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system.. However, it is still important to provide a robust and secure database environment with which ActivID CMS can operate.

It is recommended, where possible, that you use an existing database solution within your organization. This allows you to leverage existing knowledge, change procedures, and change security design across multiple applications. In addition, this also provides for the centralized management of all databases.

The following link contains Microsoft security recommendations that apply to the Microsoft SQL Server:

It is recommended that you read and review the following:

  • Oracle Security Technology Center documentation regarding best practices for securing the Oracle database server:

https://docs.oracle.com/database/121/DBSEG/guidelines.htm#DBSEG009

ActivID CMS-Related Security Considerations

After you have applied the recommendations listed in Web Services, it is recommended that you configure ActivID CMS by performing the following tasks:

  • Make sure that the ActivID CMS database user only can access the appropriate databases. The user does not have to be System Administrator (SA) on the overall database. The ActivID CMS database user requires only read/write access rights on all ActivID CMS databases.

  • Make sure that you do not install or co-locate the database solution on the same system as ActivID CMS. The database must be deployed in a separate system in the network environment.

  • For Microsoft SQL, observe the following:

    • Use the latest SQL Supported Service Pack.

    • Use Windows Authentication rather than SQL authentication.

    • Set a strong password for the ActivID CMS database accounts if SQL authentication is used.

    • Make sure that the database traffic between ActivID CMS and the database does not cross insecure networks in an unencrypted state.

    • Configure ActivID CMS to startup in attended mode.

    • Alternatively, configure ActivID CMS to startup in unattended mode with obfuscated passwords.

  • For Oracle, observe the following:

    • Configure the Oracle client software on the ActivID CMS system to use encrypted database communication.

    • Set a strong password for the ActivID CMS database accounts.

    • Configure ActivID CMS to startup in attended mode.

    • Alternatively, configure ActivID CMS to startup in unattended mode with obfuscated passwords.