Digital

Page tree

Skip to main content


Products

In this section:


Domibus Secure Deployment Recommendations

Introduction

This page provides essential guidelines and best practices for ensuring a secure and robust deployment of the Domibus Access Point.

These recommendations focus on key aspects of deploying Domibus securely, addressing considerations such as system architecture, network configurations, access controls. By adhering to these guidelines, organisations can enhance the overall security posture of their Domibus deployments.

Starting on 1 May 2024, the eDelivery team will assume that these recommendations are followed when assessing the impact of security vulnerabilities on a Domibus deployment.

Recommendations

An overview is provided in Figure 1 for a typical Tomcat deployment topology and in Figure 2 for a typical WebLogic or WildFly deployment topology. Please click on each image to see it full size.

Figure 1: Domibus secure deployment recommendation (Tomcat)
Figure 2: Domibus secure deployment recommendation (WebLogic/WildFly)


In particular,

  • All the components from the private network should not be accessible directly from the internet.
  • Restrict access to each component and allow access only to specific ports only from known components. For example, if using the default ports, Domibus instances should allow incoming traffic only from the load balancer on port 7001 for WebLogic or 8080 for Tomcat/Wildfly, the database should allow incoming traffic only from the Domibus instances on port 1521 for Oracle or 3306 for MySQL, etc.
  • Implement a web application firewall before the load balancer to filter and monitor incoming HTTPS traffic from the internet.
  • Implement a load balancer to balance the traffic between Domibus instances.
  • Either restrict access completely or only allow traffic from your organisation to the following resources:
    • The Domibus Admin Console: /domibus
    • The plugin interfaces should be restricted if the plugin is not used or else only be accessible from the backend system(s) connected to Domibus instance
      • new WS plugin: /domibus/services/wsplugin
      • old WS plugin: /domibus/services/backend
      • JMS plugin: the JMS broker port(s) 
      • file system plugin: shared file system
      • custom plugins: plugin dependent
    • The Domibus REST services: /ext
  • Only the MSH endpoint /domibus/services/msh should be accessible from the internet

Contact

For more information, please contact us via our portal or by e-mail: EC-EDELIVERY-SUPPORT@ec.europa.eu.

« Domibus database installation and upgrade scripts   Domibus upgrade instructions »