Cloud Access Manager 8.1.4 - Security and Best Practice Guide

Backup

It is strongly recommended that you take a backup of your Cloud Access Manager environment at regular intervals, and immediately prior to upgrading or carrying out maintenance. Please refer to the One Identity Cloud Access Manager Installation Guide for full instructions to backup and restore Cloud Access Manager.

Fallback

The Cloud Access Manager fallback administration account allows you to bypass the directory-based authentication mechanism to:

  • Configure Cloud Access Manager for the first time
  • Investigate issues with directory-based authentication
  • Perform certain activities such as setting up certificate-based authentication.

We recommend you choose a password for the fallback administration account which is complex enough that it cannot be guessed, and that you change it regularly. You can change the fallback password using the Cloud Access Manager administration interface.

IMPORTANT: We recommend that you keep a hardcopy of the fallback password in a secure place, accessible only to staff with the authority to configure Cloud Access Manager. There is no reset facility for the fallback password. If you forget the password, you will need to completely re-install Cloud Access Manager.

In addition, fallback administration is not automatically exposed by the reverse proxy, so access to this user interface is restricted to internal connections.

Shared secret

The Cloud Access Manager shared secret is used to send information securely between Cloud Access Manager hosts, so that it can be stored securely in the Cloud Access Manager configuration database. In addition you will need to use the same shared secret to add new nodes to your Cloud Access Manager deployment.

IMPORTANT: We recommend that you keep a hardcopy of the shared secret in a secure place, accessible only to staff with the authority to configure Cloud Access Manager as there is no facility to change the shared secret within the software.

Proxy mapping and URL rewriting

In order to relay web content between a web application and a browser, the proxy must:

  • Convert inbound public URLs from the browser to internal URLs which resolve to the target application on the private network.
  • Convert hypertext links in outbound web content received from the internal web application to public URLs accessible by the browser.

To rewrite the URLs correctly, the proxy maintains an internal mapping table. An application URL can be mapped to its public URL equivalent in one of two ways:

Related Documents