Some deployments may choose to retain
administrator user for emergency purposes. In that case the
administrator should be set up with a very strong random password. Such password should be stored in a secure location and only used for emergency operations.
When midPoint starts using the default configuration, it will start with an embedded H2 database engine. This database engine is provided for convenience purposes only. The H2 database is not supposed to be used for production purposes or any other purposes that are security-sensitive in any way.
The goal of the H2 database is to make it easy for the users to familiarize themselves with midPoint. It is supposed to be used for demonstrations, experiments and other non-critical purposes that do not include any sensitive data. The default setup of H2 database strongly prefers convenience over security. E.g. the H2 database port is exposed to all network nodes, allowing easier diagnostics and visibility into H2 database structures.
Use embedded H2 database at your own risk only. We do not guarantee any security, reliability or any other quality when using the embedded H2 database.
Do not store any sensitive data in the embedded H2 database. Do not use H2 database in unprotected network environments.
One of the usual responsibilities of an IDM system is to manage credentials, including passwords. MidPoint is an IDM system and, naturally, there is a password management component in midPoint. But being an IDM system the password management in midPoint is much more complex that a password management of any ordinary application. MidPoint does not manage a password just for itself, it manages passwords for other applications. And then there is a problem. It is easy to to set up new accounts in a "big bang" provisioning case. This means that a new user is created in midPoint, new password is generated and that password is used when creating a new accounts at that very moment. But there is a problem if a new account has to be created later. For example, if an used gets assigned new role which needs new account to be created. In that case we do not have user's cleartext password any more. Therefore we cannot use it while creating a new account.
Some expression security can be achieved by using expression profiles. However, the usefulness of this feature is currently limited. See Expression Profile Configuration page for details. Please consider using platform subscription to fund full implementation of expression profiles.
Stand-alone deployment of midPoint is supposed to expose only HTTP port 8080 by default. Other ports (e.g. H2 database port) may be exposed as well, depending on midPoint configuration and customization.
MidPoint is not supposed to be directly exposed to unprotected network. It is assumed that additional network protection will be applied, such as HTTP/HTTPS reverse proxy. Many midPoint deployments will take benefit of clustering mechanisms and those will be multi-node deployments. Therefore a form of HTTP/HTTPS reverse proxy is expected anyway, e.g. in a form of a network load balancer.
Due to operating system security reasons and limitations of the Java platform, midPoint listens at port 8080 by default. This is usually not the desired solution, as ports 80 and 443 are usually expected. Therefore this is yet another reason for using a network security component in front of midPoint.
See also Ports 80 and 443.
MidPoint deployment that are explicitly deployed into existing web container environment (Apache Tomcat) should adhere to the recommended security practices of the web container. As such web container is not under the control of midPoint, midPoint is not responsible for any security issues of such web container.
Security of MidPoint Services
Fortunately, there are other methods. In early 2019 midPoint was a part of European Union Free and Open Source Software Auditing (EU-FOSSA2) project. A bug bounty was announced for vulnerabilities in midPoint product. TODO: summary of FOSSA2 bug bounty when it is finishedThe bug bounty program was very successful, resulting in discovery and mitigation of several security issues.