Secure the server

You can set up secure communication between clients and servers as well as between servers.

  • Communication between clients and servers can be secured using the SSL protocol, which you specify when connecting to the server. See Using SSL to encrypt connections to a Helix Server.

    Communication between clients and servers can also be secured using a firewall. For more information, see Using firewalls.

  • User authentication can be done using passwords or tickets, and the strength of the password can be defined by an administrator. Users can be authenticated against an Active Directory or LDAP server, or against an internal Helix Server user database. See Authentication options.
  • Access is defined using "protections" that determine which Helix Core Server commands can be run, on which files, by whom, and from which host. See Authorizing access.
  • Communication between servers in a multi-server environment can be secured using a "trust file", and by setting "protections" for the service users that own the different servers in the environment. For more information, see Create commit and edge server configurations.

Before you can configure access and authentication, you must create users as described in Users.

Recommended settings to configurables for security

After installing Helix Server, it is good practice to set the following configurables:

Purpose

Configurable

Value

Require ticket-based authentication.

Warning

Unless your Helix Core Server is a standalone server, set the value of the security configurable to 4 or higher because Level 4 protects multi-server and replicated environments. To learn more, see Server security levels.

security 4

For each user's initial password: ensure that only users with the super access levelClosed A permission assigned to a user to control which commands the user can run. See also the 'protections' entry in this glossary and the 'p4 protect' command in the Helix Core Command-Line (P4) Reference., and whose password is already set, can set an initial password.

Warning

We strongly recommend that when you create a new user, you assign that user an initial password, and that you make it a strong password.

 dm.user.setinitialpasswd 0
Force new users that you create to reset their passwords. dm.user.resetpassword 1
Prevent the automatic creation of new users. dm.user.noautocreate 2
Hide sensitive information from unauthorized users of p4 info. dm.info.hide 1
Hide user details from unauthenticated users. run.users.authorize 1
Hide that an authentication failure is due to the username being incorrect. dm.user.hideinvalid 1
Hide information contained in 'keys' from those who lack admin access. One use case is Hiding Swarm storage from regular users. dm.keys.hide 2
Prevent a server from being used as a P4AUTH server without deliberate configuration. server.rolechecks 1

Programmatic security

The Helix Core Downloads include APIs for C++ and various scripting languages. When writing programs that communicate with Helix Server, consider using the appropriate supported API for both security and runtime efficiency, rather than a wrapper around the p4 command-line client executable.