I've been really quiet lately, not on purpose - things have been busy at work.
This is a quick post on making JD Edwards available on the internet - securely!
First things first edit the front page to not be picked up by google crawlers... If you don't, people like me will google e1menu.maf and find results like this:
xxxx - I don't want to list them out
and more and more...
you gotta follow this: https://support.google.com/news/publisher-center/answer/9605477?hl=en to stop google and a few others.
But, this is not really really secure. I must admit I have a couple of tricks that would have me logging into most publicly available JD Edwards instances pretty quick (most).
okay, so my advice to you is - do NOT do this. You need to do more.
A couple of nice options (depending on your architecture) are:
or
These are a couple of cloud options for forcing a credential check (based upon your LDAP) before getting the JD Edwards login page. Basically it's a challenge before you even get access to the internal JD Edwards ports. I think that this is a good idea unless you are super confident in your security practices.
I like the Azure one, it's really easy to get going with your Azure tenancy (generally O365 will allow it) and you can do an MFA challenge if you want to.
This allows you to quickly and easily publish a URL to your staff for remote JD Edwards access - they'll do a couple of logins - but they'll be in! And you'll feel more secure for it.
Note that shortcuts are not going to work, as they are defined to use the "known" URL, and you'll be using some sort of "proxy" url. Again, you can fix this with a more complicated implementation of the same.
If you are on AWS, then there is no denying that the WAP-ADFS is teh way forward for you. This will integrate directly with your ELB's and you can have it up and running in no time (well, in no time if you have a DC or access to your directory in your AWS tenancy).
Also remember that fusion5 have a product that allows you SSO capabilities using Azure Directory services. The cool thing here is that you can define the security challenge based upon the device, network, user and more. This allows you to force MFA when logging into JDE over the internet. Therefore if you do your homework on stopping the crawlers and you have an MFA challenge - you are in a pretty good place if you patch weblogic and JDE.
Stay safe during these challenging times with respect to COVID-19. Encourage flexibility in work conditions. If you need to manage and monitor JD Edwards usage - we can certainly help out there too. https://www.fusion5.com.au/solutions/enterprise-resource-planning/jd-edwards/erp-analytics/
Subscribe to:
Post Comments (Atom)
-
There are a heap of instructions of what you need to change if you change the IP address of your weblogic server, but I find they are not co...
-
I need to support long usernames for a 8.98.1.1 site via MAD LDAP. I’m thinking that I can get the collaborative portal to do the full leng...
-
If you want to change this, there is a lot of BS on the internet, something like – change the startup parameters and add this… XX:MaxPermSi...
No comments:
Post a Comment