Since the SAKA uses the Linux operating system, all security settings indicated below pertain to the Linux operating system. A site may supplement the standard Linux capabilities with third-party security tools, if their security policy requires it.
Sites are responsible for ensuring that the addition of third-party tools to the SAKA do not violate the security settings created during system setup. Any reduction in the operating system security of the SAKA can create potential vulnerabilities which void StrongKey's warranty on the appliance.
The Linux firewall, iptables, is configured to only make port 22 (for Secure Shell (SSH)) and port 8181 (for the SAKA EncryptionService) accessible over the network using the Transport Layer Security (TLS) protocol. System Administrators require the use of port 22 for administering the machine remotely, while applications will access the SAKA web service over port 8181. Additionally, ports 7001, 7002, and 7003 are opened selectively between SAKA nodes to enable database replication. Clients outside the SAKA cluster will not be able to access these ports. All other ports, including the Internet Control Message Protocol (ICMP), are blocked from the machine. The denial of ICMP traffic implies that the SAKA server cannot even be pinged on the network. Network Administrators will need to determine if port 8181 is accessible to check for network connectivity to the appliance.
The SAKA installation process creates some application accounts, but locks all accounts not necessary for the administration of the appliance. This minimizes user access to the Linux operating system from the console or remotely over SSH to just two administrative accounts—root and strongauth.
Please consult Linux documentation for how to enhance the security of your appliance above and beyond what is provided in the base installation.