Secure data

Data security involves the protection of your organization’s data, any data that you host for customers, and any input entered by users during interactions with the product.

Secure data in motion

Securing data in motion refers to the protection of data as it travels over a network or between locations.

Communication between P4 Servers and clients is secured by encrypting the data in transit. By default, Transport Layer Security (TLS) 1.2 is used on the server, and TLS 1.2 or 1.3 is used on clients. TLS is the successor to Secure Sockets Layer, or SSL. For instructions about setting up encrypted communications between a client and a P4 Server, see SSL/TLS encrypted connections. For information about setting up SSL/TLS by using keys and certificates, see Certificate authority and wildcard certificates. For enhanced security, use signed certificates from a trusted authority when possible.

In some cases, you must use the p4 trust command to establish trust of an SSL/TLS connection to a P4 service. For guidelines, see p4 trust. For any given P4 Server, proxy, or broker, SSL/TLS encryption is an all-or-nothing option. If a P4 Server is configured to use SSL/TLS, all P4 Server applications, including the following, must be configured to use SSL/TLS:

• P4 replicas, brokers, and proxies

• P4 Code Review (formerly Helix Swarm)

• Perforce TeamHub

  • You can enable an option to offload SSL/TLS to a load balancer if TeamHub is running in Cluster or High Availability mode with a load balancer. See TeamHub: Hardening Security.

• P4 Digital Asset Management (DAM)

Supported cipher suites

P4 Server uses the ECDHE-RSA-AES128-GCM-SHA256 cipher suite by default. However, you can customize the configuration by specifying either the cipher list or cipher suites. Specify the cipher list with the ssl.cipher.list configurable, and the cipher suite with ssl.cipher.suites, configurable, by using the format described in ciphers - OpenSSL Documentation.

The P4 Server uses TLS 1.2 as default. Optionally, you can enable TLS 1.3. However, TLS 1.3 uses a different set of ciphers, specified by the ssl.cipher.suites configurable. For more information, see SSL/TLS connections between client and server.

Secure data at rest

Securing data at rest involves protecting data on physical media and on cloud storage.

Data access control

Within P4 applications, you control access by using protections that determine which P4 Server commands can be run, on which files, by whom, and from which host. See Access authorization.

You can secure communication between servers in a multi-server environment by setting protections for the service users who own the servers. For more information, see Create commit and edge server configurations.

It is also essential to restrict access to the file systems that store the P4 Server program files, metadata, live and rotated journals, triggers, checkpoints, versioned files and backups, and audit and server logs. Access can be restricted by controlling permissions at the operating system level.

In addition, you can mark change descriptions as restricted, ensuring that only users with access to one or more of the related files can see the description. For more information, see the description of the defaultChangeType configurable.

Data and activity audit

You can monitor user file access and activities for security purposes by enabling the P4 server’s P4AUDIT feature and utilizing server logs. See Implement logging.

Data integrity

The data integrity of versioned and shelved files is ensured through validations performed using a hash algorithm during file upload and retrieval from the server. You can maintain and verify the integrity of these files by using the p4 verify command.

By default, file contents are verified by using a hashing algorithm when they are submitted to the P4 Server and before transferring files or their contents to the client. These behaviors are managed by two server configuration settings: lbr.verify.in and lbr.verify.out.

A digest of a versioned or shelved file that is recorded on the P4 Server can be retrieved by using the p4 fstat command.

• For a versioned file, run the p4 fstat -Olb FileSpec[revRange] command.

• For a shelved file, run the p4 fstat -Rs -Olb FileSpec@=[Shelved_Changelist] command.

For more information, see File specifications.

The integrity of versioned and shelved files on the P4 Server can be verified using the p4 verify command.

Secure user input

Securing user input involves masking or hiding the content of input fields in a user interface to prevent unauthorized individuals from viewing sensitive information. Also known as UI field obfuscation, this method is commonly applied to fields that contain confidential data, such as passwords or credit card numbers.

In P4, passwords are not displayed or are replaced with a fixed number of asterisks.