Home
Administering Connections 7.0
Welcome to the HCL Connections documentation site. HCL Connections is social networking software designed for the workplace. Its features help you to establish dynamic networks that connect you to the people and information you need to achieve your business goals.
Security
HCL Connections™ provides a flexible security infrastructure that supports an open, easily shareable data model.
Securing applications from malicious attack
HCL Connections™ provides security measures, such as an active content filter and content upload limits, that you can use to mitigate the risk of malicious attacks. Because these security measures can also limit the flexibility of the applications, you, as the system administrator, must evaluate the security of your network and determine whether or not you need to implement them.
Active content filters (whitelists)
Starting with V6.0 CR1, HCL Connections™ provides an alternative mechanism (whitelisting) for active content filtering, which helps to ensure that content uploaded by users is safe.
Configuring active content filters (whitelists)
HCL Connections™ provides a set of active content filter (ACF) configuration files that you can apply to component applications to allow users to contribute only accepted types of content.
URL protocol rules (whitelists)
Whitelist active content for HCL Connections™ based on the protocol specified within URLs.

Administering Connections 7.0
Welcome to the HCL Connections documentation site. HCL Connections is social networking software designed for the workplace. Its features help you to establish dynamic networks that connect you to the people and information you need to achieve your business goals.
- What's new in HCL Connections
  Find out about features that are new or updated in this release of HCL Connections.
- Product overview
  Learn how to deploy, customize, and administer the HCL Connections social networking product.
- Planning
  Before installing HCL Connections™, study the system requirements, deployment options, and documentation conventions.
- Installing Connections
  To install HCL Connections™, you need to follow a detailed series of procedures.
- Installing or upgrading Component Pack for Connections
  HCL Connections 7.0 now supports the latest Component Pack based in Harbor, an open-source container and Helm registry hosted by HCL for the Component Pack build. Deployments that are new or carrying Component Pack 7 will use this approach for a simplified installation/upgrade process, while releases prior to 7.0 will first need to upgrade to Component Pack 7 using a zip file and a local Docker registry.
- Post-installation tasks
  After installation, you need to perform further tasks to ensure an efficient deployment.
- Optional: Installing and configuring Tiny Editors for HCL Connections
  The Tiny editors are alternative rich-text editors which can be installed for HCL Connections™. They provide additional features and extensive customization options not available with the default editor.
- Optional post-installation tasks
  Complete the post-installation tasks that are relevant to your deployment.
- Uninstalling
  Uninstall HCL Connections.
- Upgrading and updating
  Upgrade HCL Connections and its supporting software to the latest release and then update the installation with the latest interim fixes or cumulative fixes. Refer to the What's New in HCL Connections to review the features in the latest release and gather download links or links to the latest fix list and update strategy information.
- Administering
  Run administration and maintenance tasks to keep your environment up-to-date. For example, learn how to customize your deployment or how to use the wsadmin utility to edit configuration files. You can also schedule tasks, maintain application databases, moderate content, or manage users and their roles.
- Customizing
  Customize HCL Connections™ to fit your environment.
- Security
  HCL Connections™ provides a flexible security infrastructure that supports an open, easily shareable data model.
  - Federal Information Processing Standard (FIPS) 140-2 Compliance
    In HCL Connections™, FIPS compliance is managed through IBM® WebSphere® Application Server.
  - Allowing third-party applications access to data via the OAuth2 protocol
    Allow third-party applications to ask your HCL Connections users for access to their data.
  - Configuring single sign-on
    Set up single sign-on integration between HCL Connections™ and other HCL products and third-party security products.
  - Authentication with SAML
    You can use the SAML (Security Assertion Markup Language) 2.0 web SSO redirection services support to implement user authentication and single sign-on (SSO). To establish your SAML environment, you must consider the following information to ensure that your system is a good candidate.
  - Configuring the AJAX proxy
    By default, the HCL Connections™ AJAX proxy is configured to allow cookies, headers or mime types, and all HTTP actions to be exchanged among the Connections applications. If you want to change the traffic that is allowed from non-HCL Connections services, you must explicitly configure it.
  - Enabling locked domains
    Assuming that you have completed the server setup previously described, to enable locked domains in HCL Connections, specify an additional attribute in the LotusConnections-config.xml to ensure that only ConnectionsOpensocial application is mapped to the locked domain host.
  - Enabling virus scanning
    Edit configuration property settings to force the applications that handle uploaded files to scan all files for viruses.
  - Forcing traffic to be sent over an encrypted connection
    You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over an encrypted connection.
  - Forcing traffic to use TLS 1.2
    You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over TLS 1.2 to avoid security vulnerabilities in TLS 1.1 and earlier versions of SSL.
  - Forcing users to log in before they can access an application
    Change the access levels of members or groups to require them to provide credentials before they can access an HCL Connections™ application.
  - Securing applications from malicious attack
    HCL Connections™ provides security measures, such as an active content filter and content upload limits, that you can use to mitigate the risk of malicious attacks. Because these security measures can also limit the flexibility of the applications, you, as the system administrator, must evaluate the security of your network and determine whether or not you need to implement them.
    - Active content filters (whitelists)
      Starting with V6.0 CR1, HCL Connections™ provides an alternative mechanism (whitelisting) for active content filtering, which helps to ensure that content uploaded by users is safe.
      - Configuring active content filters (whitelists)
        HCL Connections™ provides a set of active content filter (ACF) configuration files that you can apply to component applications to allow users to contribute only accepted types of content.
        URL protocol rules (whitelists)
        Whitelist active content for HCL Connections™ based on the protocol specified within URLs.
        Element and attribute rules (whitelists)
        Whitelist active content for HCL Connections™ based on elements and attributes used in the HTML source.
        Styling rules (whitelists)
        Whitelist active content for HCL Connections™ based on style-sheet usage in the HTML source.
    - Configuring legacy active content filters (legacy ACF)
      HCL Connections™ legacy active content filtering (legacy ACF) uses rules that allow you to block specific content (a blacklist mechanism). Although the new mechanism to whitelist allowed active content (introduced in V6.0 CR1) is considered to be more secure, you can still use the legacy mechanism to blacklist content.
    - Mitigating a cross site scripting attack
      If you deem that your network is secure enough to turn off the active content filter, consider using one of the configuration options described in this topic to mitigate an attack should one occur.
    - Turning off active content filtering
      Only turn off active content filtering if you have secured your network against cross-site scripting attacks by other means.
  - Restricting domains used by the login page redirect parameter
    By default, the HCL Connections™ default login page allows redirecting to any destination. You can configure Connections to use a whitelist of domains to ensure login navigation to a secure page.
- Mobile
  See the HCL Connections™ Mobile documentation for Connections Cloud and Connections on-premises.
- Developing
  Get information about how to use the APIs provided with HCL Connections™ and how to use Connections Customizer to modify the Connections pages that are returned to users.
- Troubleshooting and support
  To isolate and resolve problems with your HCL products, you can use the troubleshooting and support information. This information contains instructions for using the problem-determination resources that are provided with your HCL products, including HCL Connections™.

URL protocol rules (whitelists)

Whitelist active content for HCL Connections™ based on the protocol specified within URLs.

The URL protocol rules specify which protocols are allowed within the HTML source code of uploaded content. URL protocols appear within a variety elements, such as:

The href attribute in <a> and <area> tags
The src attribute in <iframe>, <img>, <audio>, and <video> tags
The cite atttribute in <q> tags

Some URL protocols are disallowed by default; for example, the irc:// and telnet:// protocols are not allowed. Any URLs that contain disallowed protocols are stripped from the content before it is uploaded.

The following protocols are allowed by default: http, https, mailto, ftp, and tel.

The following rules can be used to tailor the allowed protocols to your needs; these rules can be used in conjunction with one another.

allowStandardUrlProtocols

Allows URLs containing any of the following (default) protocols:

http
https
mailto
ftp
tel

Usage:

<allowStandardUrlProtocols enabled="true" />

To allow a different set of URL protocols, apply the allowUrlProtocols rule instead.

allowUrlProtocols

Allows URLs containing only protocols that you specify with this rule. Use this rule when you only want to whitelist a small set of URL protocols. This rule can be used in conjunction with AllowStandardUrlProtocols.

Usage


<allowUrlProtocols>
<protocol name="ftp" />
<protocol name="tel" />
<protocol name="notes" />
<protocol name="file" />
</allowUrlProtocols>

disallowUrlProtocols

Allows you to reverse an earlier "allow" rule.

Usage:

<disallowUrlProtocols>
        <protocol name="javascript" />
        <protocol name="vbscript" />
</disallowUrlProtocols>