Security Aspects of the eG Manager Architecture

The eG manager is now more secure than ever before, and this is why:

• Use of Tomcat 10 and OpenJDK 17: Tomcat 10 and OpenJDK 17 are built with tight security features. Since eG manager is bundled with Tomcat 10 and OpenJDK 17, it leverages these features and thus strengthens its security framework.
• SSL support for eG manager: You can SSL-enable the eG manager, so that all communications between users/agents and the eG manager happen over secure HTTPS connections.
• Support for TLS v1.2: After the POODLE vulnerabilities that were discovered recently, even the latest version of SSL – SSL v3.0 – has been declared as insecure for web sites using it. To ensure that the communication between a browser client (Chrome, Firefox, or IE) and an SSL-enabled eG manager is fully secure and encrypted, the Transport Layer Security (TLS) v1.2 has been enabled by default for the eG manager.
• Inclusion of default ciphers: A cipher is any method of encrypting text (concealing its readability and meaning). Cipher suite is a concept used in Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol. It is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings. When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, the client sends a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client's list. Recent versions of Firefox and Chrome reject HTTPS requests to a web application, if these requests do not contain the strong Cipher Suite definitions they expect. In other words, if users try to connect to an SSL-enabled web site/web application using the latest version of Firefox or Chrome, then the handshake between the browser client and that application will fail, if the application is not configured with the strong Cipher Suite definitions these browsers support. To avoid this, by default, the eG manager includes a strong Cipher Suite definition providing A+ security.

• Security filters are enabled by default: The eG manager is pre-hardened against many of the security threats that OWASP's report warns web application developers/architects of. To know more about these filters, refer to the Security Filters topic .

In addition to the above, you can further strengthen the security of the eG Enterprise solution by enabling one/more optional security features. These are as follows:

• Two-Step Verification
• SAML Enablement for Single Sign-On
• Password Policy
• Account Lockout
• Administration Policy
• Audit Logging