Security and Compliance

TLS Support

All Docker service containers communicate over TLS v1.2. Only TLS supported ports are exposed via Docker. For internal inter-container communication in Singleton deployment, predefined self-signed certificates are used. In high availability deployments, server certificates are used for inter-container communication.

 TLS 1.2 Support

Only TLS 1.2 is supported in web-based applications.

TLS 1.0 & TLS 1.1

TLS 1.0 is still supported for backward compatibility with Cisco Finesse's older versions. However, for Finesse 12.0, TLSv1.0 and TLSv1.1 can be blocked in the Communication Server container in the Java Security file located at $JAVA_HOME/lib/security/java.security. In the User Management (UMM) container, it can be blocked using Apache Tomcat sslEnabledProtocols=TLSv1.2″ configuration.

Applying TLS certificates

To apply the TLS certificates, refer to this guide.

Alpine version

Alpine version 3.12 is used for all java & node based images.


Forward Proxy support

All the internet-facing components support both transparent and explicit forward proxy. 



Customer Channel Managerfor sending messages to Facebook, Viber, etc.
Reverse Proxy profile

NGINX is used to enable access to internet-facing components over a single port (HTTPS 443). Another profile is supported to access only those components which are needed to be accessed via the internet e.g. Customer Gadget, Chat Server, Customer Channel Manager, etc


Trivy Docker Images Security Compliance

All images are free from OS & NPM vulnerabilities scanned by Trivy Vulnerability Scanner, including third-party images.

Hardened third party images

ImageAlpine versionHardenedAdditional Notes
MySql3.12.0(tick)All vulnerabilities removed detected by Trivy.
Minio3.10.4(tick)All vulnerabilities removed detected by Trivy.
NGINX3.11.6(tick)All vulnerabilities removed detected by Trivy.
MongoDB3.9.4(tick)All vulnerabilities removed detected by Trivy.
ActiveMQ3.12.0(tick)All vulnerabilities removed detected by Trivy.


OWASP Compliance



Code Injection & SQL Injection prevention

Prevention of basic code & SQL injection is implemented already. Further injection prevention practices are being added to Hybrid Chat with upcoming releases.

OWASP Best Practices for Web

OWASP best practices are implemented in individual web-based components are the reverse proxy server


Rate limits

Reverse Proxy is configured to limit incoming traffic rates for prevention of DDoS attacks


Customer Information Security

Hide Customer Channel Identity

Some use cases require hiding customer channel identity from the agent serving the customer. You can configure the system to hide/show the customer channel identity. See Agent Gadget Environment Variable HIDE_CHANNEL_IDENTITY

Secure Chat Transcript

Chat transcripts are exposed on a different port and may be blocked via firewall. Customer's phone number in the transcript URL is now also encoded.

For access within the enterprise network, a shared username/password may be configured in the environment configurations. If not specified, the transcripts are visible without authentication.

This basic authentication will be replaced in the next major release with user permissions based on the Identity and Access Management module. 

Incognito mode support

In Incognito/private-browsing mode, the customer can now initiate chat. HybridChat doesn't use any local data storage or browser cookies. If the browser-settings allows cookies/local-storage, the system uses them. Otherwise, on browser refresh or internet connection restore the customer will have to re-initiate chat.


Blocked HTML code in customer message

A customer on web-chat cannot send an arbitrary HTML code. The HTML code is sent as a plain-text message. 

Docker CIS Compliance

Following points (regarding images and runtime) are implemented. 

CIS ReferenceDescriptionStatus
4.1

Ensure a user for the container has been created

PASS
4.2

Ensure that containers use only trusted base images

PASS
4.4

Ensure images are scanned and rebuilt to include security patches

PASS
4.6

Ensure that HEALTHCHECK instructions have been added to container images

PASS
4.9

Ensure that COPY is used instead of ADD in Dockerfiles

PASS
4.10

Ensure secrets are not stored in Dockerfiles

PASS
4.11

Ensure only verified packages are installed

PASS
5.3

Ensure Linux Kernel Capabilities are restricted within containers

PASS
5.5

Ensure sensitive host system directories are not mounted on containers

PASS
5.6

Ensure sshd is not run within containers

PASS
5.7

Ensure privileged ports are not mapped within containers

PASS
5.8

Ensure that only needed ports are open on the container

PASS
5.9

Ensure the host's network namespace is not shared

PASS
5.10

Ensure that the memory usage for containers is limited

PASS
5.11

Ensure CPU priority is set appropriately on the container

PASS
5.13

Ensure that incoming container traffic is bound to a specific host interface

PASS
5.14

Ensure that the 'on-failure' container restart policy is set to '5'

PASS
5.15

Ensure the host's process namespace is not shared

PASS
5.16

Ensure the host's IPC namespace is not shared

PASS
5.17

Ensure that the host devices are not directly exposed to containers

PASS
5.19

Ensure mount propagation mode is not set to "shared"

PASS
5.20

Ensure the host's UTS namespace is not "shared"

PASS
5.21

Ensure the default seccomp profile is not Disabled

PASS
5.22

Ensure docker exec commands are not used with privileged option

PASS
5.23

Ensure that docker exec commands are not used with the user=root option

PASS
5.24

Ensure that cgroup usage is confirmed

PASS
5.26

Ensure that container health is checked at runtime

PASS
5.28

Ensure that the PIDs cgroup limit is used

PASS
5.29

Ensure that Docker's default bridge 'docker0' is not used

PASS
5.30

Ensure that the host's user namespaces are not shared

PASS
5.31

Ensure that the Docker socket is not mounted inside any containers

PASS
7.1

Ensure swarm mode is not Enabled, if not needed

PASS
7.2

Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)

PASS
7.3

Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)

PASS
7.4

Ensure that all Docker swarm overlay networks are encrypted

PASS
7.5

Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)

PASS
7.6

Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)

PASS
7.7

Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)

PASS
7.8

Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)

PASS
7.9

Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)

PASS
7.10

Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)

PASS