Installation/configuration

Make sure to only expose the ports and uri’s absolutely needed.
The rest of the services should only be accessible on the internal network.

Checklist:

1. Use port 8443+SSL for Configuration Manager.

   1. Only allow 8443 from local host and/or dedicated machines. Machine/ip allowance is configured outside PhenixID. Use a network tool such as a firewall.

2. Use port 9443 for config API, when used.

   1. Only allow 9443 from local host and/or dedicated machines. Machine/ip allowance is configured outside PhenixID. Use a network tool such as a firewall.

3. Use port 10443 for API authentication, when used.

   1. Only allow 10443 from local host and/or dedicated machines. Machine/ip allowance is configured outside PhenixID. Use a network tool such as a firewall.

4. Use port 443+SSL for other web interfaces

5. Set /config authentication to LDAP using uid/pwd/otp.

6. Always place a web front / proxy (facing the internet) in front of PhenixID Authentication Services.

7. To allow / disallow certain URI patterns, add rules to the web front / proxy.

8. Complex, repeated config update, many stages environment -> Use orchestration.

9. If orchestration is used, /config authenticator can be removed from HTTP_Authenticators

10. Separate disk partition for PhenixID installation and logs

11. Set complex encryption key