App Suite Security

Internally exposed interfaces

RMI

The native way of performing all context-, group-, resource- and user-level provisioning tasks is implemented as Java RMI API. All functions in this API can also be executed with command-line tools.

Integrations

Central control panels and billing systems, which are not implemented in Java, can use the RMI API via OX-SOAP. Standard integrations via the SOAP-API are also available for some 3rd party management systems, like directory services, operations automation and control panels.

Authentication

Authentication is implemented as highly customizable plugins. Many different standard and custom implementations are available. The OX App Suite default delivery includes plugins to be used with the OX App Suite internal database or with external authentication services like OIDC, IMAP or LDAP. Most environments make use of proprietary implementations.

Monitoring

Monitoring OX App Suite is done via a JMX interface and an HTTP interface, when using "Jolokia" for monitoring. Since JMX can be used to invoke further code (MBeans), it can potentially be used for privilege escalation where unprivileged local users or network agents can execute code in the context of the open-xchange user. For this reason we highly recommend defining strong credentials for JMX authentication and keep this interface restricted to local or trusted networks.

REST API

To allow re-usage of existing features for certain remote microservices, e.g. database access, OX App Suite middleware exposes a dedicated HTTP interface. This interface is shipped as open-xchange-rest and makes HTTP Basic Auth mandatory in order to use it. This interface must not be public available since it provides direct access to several internal services.

The software is shipped without standard credentials. This means interfaces like REST are disabled by default and need to be set-up with credentials in order to work properly. In order to activate this interface, the credentials must be set in server.properties. The interface is bound to the /preliminary servlet path and is made available via port 8009. Access to this interface should be limited to internal hosts that actually use it.

SOAP API

The SOAP interface is reachable on both web paths /webservices and /servlet/axis2/services. That interface should only be reachable from a secure network. Therefore, access to those locations is restricted by default as per proxy_http.conf: