IMPORTANT SECURITY NOTES FOR PRODUCTION DEPLOYMENTS =================================================== When deploying a Lightstreamer Server instance in a production environment, please go through the following check list, to make sure that private information on the Server operations are not accessible to unauthorized people. 1) Completely remove the "Demo" folder inside the "adapters" folder. The pre-installed DEMO Adapter Set enables subscriptions to the internal Monitor Data Adapter. You might not want unauthorized clients to access the Monitor Data Adapter. 2) Completely remove the "demos" folder inside the "pages" folder. You might not want to show any demo pages in production. Furthermore, as it is recommended to host your pages on an external Web server, you can completely disable the Lightstreamer internal Web server by setting to N within the element in "lightstreamer_conf.xml". 3) Restrict access to the Monitor Console. The embedded Monitor Console is a handy tool to watch the status of Lightstreamer Server in real time. To prevent unauthorized people to access it, edit the element in "lightstreamer_conf.xml" as follows: - set to N - define at least a user id and a password - for further restrictions, you may want to: . isolate the Monitor Console on a different socket than that used for the external operations. In this case, set to N and define the server that should serve the Monitor requests; . change the default monitor URI, through 4) Restrict access to JMX. The Java Management Extensions (JMX) interfaces provide a standard means to monitor and administer Lightstreamer Server. You might want to restrict access to the following JMX TCP ports (configured in "lightstreamer_conf.xml") through your firewall: - (inside the block) (6600 by default) - (inside the block) (8888 by default) - (inside the block) (unused by default) - (inside the block) (9999 by default) 5) If you use HTTPS: a) Install the 256-bit cipher suites in the Java Virtual Machine, as in most countries such cipher suites need to be downloaded separately from Oracle/SUN site (search for "JCE Unlimited Strength Jurisdiction Policy Files"). b) Disable support for low encryption ciphers (that is, usually, those with key length smaller than 128 bits): - Set the "LightstreamerLogger.connections.ssl" logger in "lightstreamer_log_conf.xml" to DEBUG and look in the log file for all the enabled cipher suites. Decides which should be disabled, based on your own security policy. - Uncomment the element in "lightstreamer_conf.xml" and configure the cipher suites to disable.