All Docker service containers communicate over TLS v1.2. Only TLS supported ports are exposed via Docker. For internal inter-container communication in Singleton deployment, predefined self-signed certificates are used. In high availability deployments, server certificates are used for inter-container communication.
TLS 1.2 Support
Only TLS 1.2 is supported in web-based applications.
TLS 1.0 & TLS 1.1
TLS 1.0 is still supported for backward compatibility with Cisco Finesse's older versions. However, for Finesse 12.0, TLSv1.0 and TLSv1.1 can be blocked in the Communication Server container in the Java Security file located at
$JAVA_HOME/lib/security/java.security. In the User Management (UMM) container, it can be blocked using Apache Tomcat sslEnabledProtocols=TLSv1.2″ configuration.
Applying TLS certificates
To apply the TLS certificates, refer to this guide.
Alpine version 3.12 is used for all java & node based images.
Forward Proxy support
All the internet-facing components support both transparent and explicit forward proxy.
|Customer Channel Manager||for sending messages to Facebook, Viber, etc.|
|Reverse Proxy profile|
NGINX is used to enable access to internet-facing components over a single port (HTTPS 443). Another profile is supported to access only those components which are needed to be accessed via the internet e.g. Customer Gadget, Chat Server, Customer Channel Manager, etc
Trivy Docker Images Security Compliance
All images are free from OS & NPM vulnerabilities scanned by Trivy Vulnerability Scanner, including third-party images.
Hardened third party images
|Image||Alpine version||Hardened||Additional Notes|
|MySql||3.12.0||All vulnerabilities removed detected by Trivy.|
|Minio||3.10.4||All vulnerabilities removed detected by Trivy.|
|NGINX||3.11.6||All vulnerabilities removed detected by Trivy.|
|MongoDB||3.9.4||All vulnerabilities removed detected by Trivy.|
|ActiveMQ||3.12.0||All vulnerabilities removed detected by Trivy.|
|Code Injection & SQL Injection prevention|
Prevention of basic code & SQL injection is implemented already. Further injection prevention practices are being added to Hybrid Chat with upcoming releases.
|OWASP Best Practices for Web|
OWASP best practices are implemented in individual web-based components are the reverse proxy server
Reverse Proxy is configured to limit incoming traffic rates for prevention of DDoS attacks
Customer Information Security
Hide Customer Channel Identity
Some use cases require hiding customer channel identity from the agent serving the customer. You can configure the system to hide/show the customer channel identity. See Agent Gadget Environment Variable
Secure Chat Transcript
Chat transcripts are exposed on a different port and may be blocked via firewall. Customer's phone number in the transcript URL is now also encoded.
For access within the enterprise network, a shared username/password may be configured in the environment configurations. If not specified, the transcripts are visible without authentication.
This basic authentication will be replaced in the next major release with user permissions based on the Identity and Access Management module.
Incognito mode support
In Incognito/private-browsing mode, the customer can now initiate chat. HybridChat doesn't use any local data storage or browser cookies. If the browser-settings allows cookies/local-storage, the system uses them. Otherwise, on browser refresh or internet connection restore the customer will have to re-initiate chat.
Blocked HTML code in customer message
A customer on web-chat cannot send an arbitrary HTML code. The HTML code is sent as a plain-text message.
Docker CIS Compliance
Following points (regarding images and runtime) are implemented.
Ensure a user for the container has been created
Ensure that containers use only trusted base images
Ensure images are scanned and rebuilt to include security patches
Ensure that HEALTHCHECK instructions have been added to container images
Ensure that COPY is used instead of ADD in Dockerfiles
Ensure secrets are not stored in Dockerfiles
Ensure only verified packages are installed
Ensure Linux Kernel Capabilities are restricted within containers
Ensure sensitive host system directories are not mounted on containers
Ensure sshd is not run within containers
Ensure privileged ports are not mapped within containers
Ensure that only needed ports are open on the container
Ensure the host's network namespace is not shared
Ensure that the memory usage for containers is limited
Ensure CPU priority is set appropriately on the container
Ensure that incoming container traffic is bound to a specific host interface
Ensure that the 'on-failure' container restart policy is set to '5'
Ensure the host's process namespace is not shared
Ensure the host's IPC namespace is not shared
Ensure that the host devices are not directly exposed to containers
Ensure mount propagation mode is not set to "shared"
Ensure the host's UTS namespace is not "shared"
Ensure the default seccomp profile is not Disabled
Ensure docker exec commands are not used with privileged option
Ensure that docker exec commands are not used with the user=root option
Ensure that cgroup usage is confirmed
Ensure that container health is checked at runtime
Ensure that the PIDs cgroup limit is used
Ensure that Docker's default bridge 'docker0' is not used
Ensure that the host's user namespaces are not shared
Ensure that the Docker socket is not mounted inside any containers
Ensure swarm mode is not Enabled, if not needed
Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled)
Ensure that all Docker swarm overlay networks are encrypted
Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled)
Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled)
Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
Ensure that node certificates are rotated as appropriate (Swarm mode not enabled)
Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled)
Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled)