Communication channels
Various communication channels are used by OX App Suite and related network services. While some channels offer unencrypted data transmission, OX strongly advises using encrypted transmission and authentication by default. Unencrypted channels should be avoided whenever possible.
Client access
Services
Web access, API federation traffic, Exchange Active Sync, CalDAV, CardDAV, WebDAV.
Data types
JSON, XML containing user credentials, user data.
Trust boundary
Public Internet
Protocols
HTTP (80/tcp), HTTPS (443/tcp), using HTTPS is strongly advised.
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (username, password)
Protection need
High
Provisioning via SOAP
Services
System maintenance, context, user provisioning.
Data types
XML containing administrator credentials, context and user data.
Trust boundary
Internal network
Protocols
HTTP (80/tcp), HTTPS (443/tcp), using HTTPS is strongly advised.
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (admin name, password).
Protection need
Very high
Provisioning via RMI
Services
System maintenance, context, user provisioning.
Data types
Serialized Java objects containing administrator credentials, context and user data.
Trust boundary
Internal network
Protocols
RMI (1099/tcp)
Encryption
None
Authentication
Shared secret (admin name, password)
Protection need
Very high
Monitoring via JMX
Services
System maintenance, monitoring.
Data types
Serialized Java objects containing administrator credentials and system monitoring information.
Trust boundary
Internal network
Protocols
JMX (9999/tcp), JMX of Document Collaboration Service (9994/tcp)
Encryption
None
Authentication
Shared secret (admin name, password)
Protection need
Medium
Monitoring via HTTP
Services
System maintenance, monitoring.
Data types
JSON containing administrator credentials and system monitoring information.
Trust boundary
Internal network
Protocols
HTTP (80/tcp), HTTPS (443/tcp), using HTTPS is strongly advised.
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (admin name, password)
Protection need
Medium
Frontend/Backend interconnect
Services
Proxying data provided by a client to OX App Suite middleware.
Data types
JSON, XML containing user credentials, administrator credentials, user, context and monitoring data.
Trust boundary
Internal network
Protocols
HTTP (8009/tcp), HTTPS (8010/tcp), using HTTPS is strongly advised.
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
None
Protection need
Very high
Internode communication for OX Documents
Services
Processing of documents data is stateful, thus a communication between nodes is necessary if a document is processed on another node
Data types
JSON
Trust boundary
Internal network
Protocols
JMS (61616/tcp), a secured connection is strongly advised.
Encryption
SSL/TLS
Authentication
Shared secret (username, password)
Protection need
Medium
Microservices REST API
Services
Offering remote access to certain features like database access.
Data types
JSON containing user data, depends on what service is used.
Trust boundary
Internal network
Protocols
HTTP (8009/tcp), HTTPS (8010/tcp), using HTTPS is strongly advised.
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (admin name, password) via HTTP Basic Authentication
Protection need
Very high
MySQL
Services
Access to configuration and user database.
Data types
MySQL queries containing database credentials, user data, E-Mail drafts.
Trust boundary
Internal network
Protocols
MySQL (3306/tcp)
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (database username, password)
Protection need
Very high
Mailbox access via IMAP
Services
Access to user mailboxes.
Data types
IMAP conversation containing user credentials, mailbox data.
Trust boundary
Internal network, Public Internet
Protocols
IMAP (143/tcp), IMAPS (993/tcp)
Encryption
TLS (STARTTLS enforced)
Authentication
Shared secret (username, password), OAuth tokens
Protection need
Very high
Mailbox access via POP
Services
Access to user mailboxes.
Data types
POP3 conversation containing user credentials, mailbox data.
Trust boundary
Public Internet
Protocols
POP3 (110/tcp), POP3S (995/tcp)
Encryption
TLS (STARTTLS enforced)
Authentication
Shared secret (username, password)
Protection need
Very high
Mail transport via SMTP
Services
Access to mail transport services
Data types
SMTP conversation containing user credentials, mail content.
Trust boundary
Internal network, Public Internet
Protocols
SMTP (25/tcp), SMTPS (465/tcp), Submission (587/tcp)
Encryption
TLS (STARTTLS enforced)
Authentication
Shared secret (username, password)
Protection need
Very high
File storage access via S3
Services
Access to backend storage system.
Data types
User generated content, for example PIM or Drive attachments.
Trust boundary
Internal network
Protocols
HTTP (80/tcp), HTTPS (443/tcp), using HTTPS is strongly advised.
Encryption
SSE-S3, TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (access and secret key)
Protection need
Very high
File storage access via Scality sproxyd
Services
Access to backend storage system.
Data types
User generated content, for example PIM or Drive attachments.
Trust boundary
Internal network
Protocols
HTTP (80/tcp), HTTPS (443/tcp)
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
None
Protection need
Very high
Authentication via MySQL
Services
Validating user credentials.
Data types
MySQL queries containing user credentials.
Trust boundary
Internal network
Protocols
MySQL (3306/tcp)
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (database username, password)
Protection need
Very high
Authentication via LDAP
Services
Validating user credentials.
Data types
LDAP conversation containing user credentials, directory service information.
Trust boundary
Internal network
Protocols
LDAP (389/tcp), LDAPS (636/tcp), using LDAPS is strongly advised.
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
Shared secret (LDAP bind)
Protection need
Very high
Authentication via IMAP
Services
Validating user credentials.
Data types
IMAP conversation containing user credentials.
Trust boundary
Internal network
Protocols
IMAP (143/tcp), IMAPS (993/tcp)
Encryption
TLS (STARTTLS enforced)
Authentication
None
Protection need
Very high
Authentication via Kerberos
Services
Validating user credentials.
Data types
Kerberos conversation containing tickets.
Trust boundary
Internal network
Protocols
Kerberos (88/udp)
Encryption
Symmetric encryption
Authentication
KDS registering, tokens
Protection need
Very high
Access to social networks
Services
Fetching and providing data from/to social networks, RSS, news feeds.
Data types
JSON, XML containing user credentials, social network data.
Trust boundary
Public Internet
Protocols
HTTPS (443/tcp)
Encryption
TLS (enforced)
Authentication
Shared secret (username, password), oAuth
Protection need
High
Cluster interconnect
Services
Distributed session storage, distributed cache.
Data types
Serialized Java objects containing user credentials, user data.
Trust boundary
Internal network
Protocols
Distributed storage (5701/tcp), multicast (54327/udp)
Encryption
Symmetric encryption (optional), enabling encryption is strongly advised.
Authentication
Shared secret (cluster group name, password)
Protection need
Very high
OX Documentconverter, Imageconverter, Readerengine
Services
Converting documents to browser-readable preview data.
Data types
Office document formats, images, user data.
Trust boundary
Internal network
Protocols
HTTP (80/tcp)
Encryption
None
Authentication
None
Protection need
High
OX SpellCheck
Services
Offering spell checking and replacement suggestion functionality for words, portions or paragraphs of text with different languages and locales.
Data types
JSON containing words, portions or paragraphs of text to be checked for correct spelling with given language and locale. Response contains words and its boundaries that are not spelled correctly, and replacement suggestions for wrong words on demand.
Trust boundary
Internal network
Protocols
HTTP (8003/tcp)
Encryption
TLS (optional), enforcing TLS 1.2 or higher is strongly advised.
Authentication
None
Protection need
High
OX Documents Collaboration Service
Services
OX Documents Collaboration Service is a part of OX Documents to enable real-time editing of documents. The service must not be reachable from untrusted networks. Only OX App Suite must be able to access it.
Data types
Office document formats, images, user data.
Trust boundary
Internal network
Protocols
HTTP (80/tcp)
Encryption
None
Authentication
None
Protection need
High
Mobile Push
Services
Push messages for iOS, macOS and Android devices via Google Cloud Messaging (GCM) and Apple Push Notification Service (APN).
Data types
E-Mail subjects, partial contents, sender information, object IDs.
Trust boundary
External network, Apple/Google networks
Protocols
HTTPS (443/tcp), APNS Binary (2195/tcp)
Encryption
TLS (enforced)
Authentication
Device tokens, API keys
Protection need
High