Security Considerations

Here are security configuration considerations you should address to ensure the secure operation of the Archer Engage Agent when maintaining your environment.

On this page

Ports

The API hosted in the Engage Agent uses port 5001. To ensure a successful SSL handshake between the Engage Agent and Archer, verify that port 5001 is open on the server hosting the Engage Agent.

SSL

Archer and the Engage Agent use the same X. 509 Certificate to connect to the Configuration Service. For more information on certificates, see Preparing for Installation.

Note: Use a CA-signed SSL certificate. Using a self-signed certificate requires establishing a chain of trust between the Engage Agent and your Archer instance.

There is an option to bypass SSL-related errors for Archer SSL-enabled endpoints. If Archer and Engage Agent are in a network of trusted boundary, you can turn this on or off in the PortalDataStore.json.

In the ArcherSettings section of the PortalDataStore.json, locate BypassSslErrors. By default, it is set to false, which means that SSL processing goes through complete certification validation without skipping errors or warnings while communicating to the Archer SSL-enabled endpoints. Keep BypassSslErrors set to false if the Archer and Engage Agent are not within a trusted boundary and you have already set up the Archer SSL-enabled endpoints with proper certificates by establishing trust for the same on the client side.

If you set BypassSslErrors to true, then the SSL-related errors and warnings are skipped, and no certification validation takes place at the time of the SSL handshake. Only set BypassSslErrors to true if Archer and Engage Agent are within a trusted boundary. This allows you to use any signed certificate for SSL at the Archer end, including the one Archer provides by default for ConfigurationService.

Service Account

The Engage Agent creates a new dedicated service account for your Archer instance. The Engage Agent uses this account to run the Archer RESTful APIs necessary to gather metadata, content, and permissions to support its publish and sync functions.

CSRF Token

The Engage Agent uses a CSRF token to verify that the Archer user who initiated the publish request has Read access to the Archer content. This session token is located in the browser cookie, and any call made to the Archer Web server has the cookie attached.

Encryption

The Engage Agent generates a 256-bit Data Encryption Key (DEK) for each Archer instance and a separate DEK for common installation settings across all Archer instances. The DEKs are encrypted with a pre-existing 128-bit Key Encryption Key (KEK) and stored in PortalDataStore.json.

Authentication

After onboarding the Archer instance to the Engage Agent, the Agent creates a Cognito User pool and RDS database for that Archer instance. Each Archer Instance has a unique identifier called a TenantID in Engage. For every request the Archer instance makes to the Engage Agent, the Agent uses the PortalUserName and PortalPassword fields to authenticate the Archer Instance with the Portal.

ADDRESS	ABOUT ARCHER	CUSTOMERS
13200 Metcalf Ave	Events	Archer Academy
Suite 300	Resources	Archer Exchange
Overland Park, KS 66213	Services	Support
	About Us	Archer Community