Documentum Security Best Practices Update

Late last week (6/6/2013), EMC released a security advisory (ESA) for all versions of Documentum Content Server using ACS and BOCS.  The advisory is an update to Documentum security best practices for securing communications between browser clients and the Documentum Content Server.  The advisory applies to all consumers of ACS/BOCS URLS including Taskspace and Webtop.  The ESA can be found here.  The recommended “fix” can be found here.

The gist of the fix is to enable the URL validation filter, which allows an ACS/BOCS URL to be used only once.  This setting (in the web.xml file of the acs.war and boc.war) is disabled by default for better backward compatibility.

After making this configuration change, you will need to upgrade all of your UCF clients to support this new security configuration.  Minimum upgrades are:

  • Documentum 7.0 Patch 05,
  • Documentum 6.6 Patch 32,
  • Documentum 6.7 SP1 Patch 15, or
  • Documentum 6.7 SP2

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

3 Responses to Documentum Security Best Practices Update

  1. Stefano says:

    Hi Scott,
    I do appreciate your blog. It has been helpful in many cases.
    I use an environment where ACS is used and enabled, but no BOCS server is configured (although in Distributed Transfer Setting properties there’s the “BOCS Pre-caching” flag set).
    Content Server Version is P2000 Linux.Oracle.
    Webtop is exposed as a service in a protected intranet and is rarely used, because most of functionalities is exposed from web services.
    Administrators use DA’s interface.
    In your opinion, is it really necessary to make these changes (especially in our case)?


    • Scott says:

      Stefano, thanks for the comment. I think I would seriously consider making the changes. Assuming your web services at some point invoke the UCF to retrieve content you would still be open for someone to reuse a URL and potentially circumvent your security. It might be harder because the web service invokes the call and not the web app directly, but still possible.


  2. Pingback: How To Fix Internal Error 2356 Errors - Windows Vista, Windows 7 & 8

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: