Security best practices

This section describes recommended practices to improve the security of an OpenKM installation, especially in production environments. It covers protecting sensitive configuration values, securing network communications, and auditing activity within the application.

Password Encryption in openkm.properties

The openkm.properties file may contain several passwords in plain text. In a production environment, it is strongly recommended to store these values encrypted instead of in plain text. The most relevant properties are:

PropertyDescription

spring.datasource.password

Password used to connect to the database.

ldap.manager.password

Password of the user used by OpenKM to connect to the LDAP / Active Directory server, when LDAP integration is enabled.

spring.mail.password

Password of the mailbox account used by OpenKM to send email notifications.

OpenKM provides a built-in utility to encrypt these values, available at Administration > Utilities > Password encryption. This utility must be used to generate the encrypted value that has to be set in openkm.properties, instead of writing the password in plain text. For more details about how to use this utility, see Password encryption.

Secure Communications (TLS/SSL)

All communications with OpenKM should be encrypted using HTTPS. Running the application over plain HTTP in a production environment exposes login credentials, session cookies, and document content to interception on the network. It is strongly recommended to place OpenKM behind a reverse proxy configured with a valid TLS/SSL certificate, so that all traffic between clients and the server is encrypted.

For step-by-step instructions on how to configure this, see Configuring Apache HTTPS Reverse-Proxy.

Auditing and Event Logging

OpenKM provides a complete audit trail of the actions performed within the application. Practically every action performed against the document management repository can be audited, and the level of detail recorded is configurable.

By default, OpenKM already audits the most relevant actions, which covers the most common auditing needs. The default audited actions are:

LOGIN
LOGIN_FAILED
LOGOUT
CREATE_.*
DELETE_.*
PURGE_.*
MOVE_.*
COPY_.*
SEND_MAIL_.*
DOWNLOAD_.*
ADMIN_CONFIG_.*
CHECKOUT_DOCUMENT
CHECKIN_DOCUMENT
GET_DOCUMENT_CONTENT.*
ADD_PROPERTY_GROUP
REMOVE_PROPERTY_GROUP
SET_PROPERTY_GROUP_PROPERTIES

This default level can be increased to audit additional actions if required. For more information about how the activity log works and how to configure the audited actions, see Activity log.

In addition to the application-level audit trail, administrators should also consider enabling auditing at the operating system level (for example, file system access, authentication, and system calls on the server hosting OpenKM). This kind of auditing is independent of OpenKM and must be configured and managed at the operating system level.