Prevent unauthorized access to systems

Cyberattacks and other forms of unauthorized access pose a constant threat to IT systems. Fortunately, many tools are available to counter these threats and shield your infrastructure.

Authenticate users and devices

PE helps to prevent unauthorized access by using digital certificates to authenticate between all endpoints.

  • Infrastructure certificates

    Certificates and security credentials—both private and public keys— are created by the built-in PE certificate authority, helping to ensure the security of your installation. The preferred method is to use these infrastructure certificates (rather than self-signed certificates) and regenerate the infrastructure certificates when necessary. See Regenerate infrastructure certificates.

  • Independent intermediate certificate authority

    The built-in Puppet certificate authority automatically generates a root user and intermediate certificate. For additional intermediate certificates or if you prefer to use a public authority CA, you can set up an independent intermediate certificate authority. For example, you can replace the browser-facing certificate signed by the Puppet CA with a self-signed certificate. This method can be useful if you are concerned about warning messages issued by browsers or if your organization requires self-signed certificates. However, managing self-signed certificates requires considerable additional effort. See Use an independent intermediate certificate authority.

Grant access and permissions

The process of granting access rights and permissions is designed to ensure that only authorized users, user groups, devices, and other entities can access a system, application, or network. Commonly used authorization mechanisms include role-based access control (RBAC), attribute-based access control (ABAC), and access control lists (ACLs).

In PE, you can use RBAC. Assign each user to at least one role. Each role is associated with permissions. Permissions give users appropriate levels of access and capability. For example, permissions can allow users to:

You can control access in the console or with the RBAC API.

You can use the RBAC API to manage users, user groups, roles, permissions, tokens, passwords, and Lightweight Directory Access Protocol (LDAP) and Security Assertion Markup Language (SAML) connections. See Forming RBAC API requests.

Implement firewalls

Firewalls serve as a barrier between a trusted internal network and untrusted external networks, such as the internet. PE runs on an internal network, so firewalling is primarily your responsibility or the responsibility of other system administrators in your organization. For guidelines about configuring firewalls, see Firewall configuration.

Typically, an exception is required only for port 443, which is used for console services. Port 443 is available to PE users only within an internal network. To prevent attacks, the console service allows only secure, domain-bound cookies and HTTPS traffic. Mixed content (a combination of HTTP and HTTPS content) is not allowed. For details, see Adding exceptions for PE ports.

Implement logging

Logging is used to gather operational and security data for a system, identify performance and security issues, and minimize the risk of data breaches.

Logging is implemented by default for all PE services. For details, see Log files installed. File system permissions are in place for the log files of all services. To access log files, see Log locations.

Be aware that logging at DEBUG or TRACE levels can expose sensitive data. You can adjust the logging levels to protect sensitive data. For many organizations, the most sensitive information is the internal hostname and IP address information. If you must provide logs to Perforce Support for troubleshooting, you can request a redaction tool to remove sensitive data.