Archivematica 1.11.2 is a legacy release, and these documents are no longer being maintained.

Sécurité

Important

Par mesure de sécurité, il est recommandé de changer les mots de passe par défaut après avoir configuré Archivematica.

Cette page présente différents paramètres de sécurité et de configuration pour Archivematica.

Contrôle de l’accès à ElasticSearch

The only way to limit access to Elasticsearch, currently, is using your server’s firewall configuration. You’ll likely want to configure your server’s firewall to limit access to Elasticsearch’s TCP/IP port (9200). It is recommended to only allow access by 127.0.0.1 (the server itself) and the IPs of any other servers or workstations that should be able to access it.

Important

Si vous utilisez AtoM comme système d’accès, n’oubliez pas d’effectuer cette tâche sur votre index Elasticsearch d’AtoM. C’est une étape importante puisque votre site AtoM est plus susceptible d’avoir une adresse IP publique.

For more advanced Elasticsearch installations follow their security documentation. The archivematica_src_elasticsearch_host configuration attribute accepts RFC-1738 formatted URLs (e.g.: https://user:secret@host:443).

MySQL

You should create a new MySQL user or change the password of the default archivematica MySQL user. The change the password of the default user, enter the following into the command-line:

$ mysql -u root -p<your MyQL root password> -D mysql \
   -e "SET PASSWORD FOR 'archivematica'@'localhost' = PASSWORD('<new password>'); \
   FLUSH PRIVILEGES;"

Once you’ve done this you can change Archivematica’s MySQL database access credentials by editing your system files and changing the following values for each of the following components.

The components can be found in different locations depending on the Operating System.

For Ubuntu systems:

  • /etc/default/archivematica-dashboard
  • /etc/default/archivematica-mcp-client
  • /etc/default/archivematica-mcp-server
  • /etc/default/archivematica-storage-service

For CentOS/Red Hat systems:

  • /etc/sysconfig/archivematica-dashboard
  • /etc/sysconfig/archivematica-mcp-client
  • /etc/sysconfig/archivematica-mcp-server
  • /etc/sysconfig/archivematica-storage-service

The variables are different depending on the component. These are the following variables to change per component:

Dashboard:

  • ARCHIVEMATICA_DASHBOARD_CLIENT_DATABASE
  • ARCHIVEMATICA_DASHBOARD_CLIENT_HOST
  • ARCHIVEMATICA_DASHBOARD_CLIENT_PASSWORD
  • ARCHIVEMATICA_DASHBOARD_CLIENT_USER

MCPClient:

  • ARCHIVEMATICA_MCPCLIENT_CLIENT_DATABASE
  • ARCHIVEMATICA_MCPCLIENT_CLIENT_HOST
  • ARCHIVEMATICA_MCPCLIENT_CLIENT_PASSWORD
  • ARCHIVEMATICA_MCPCLIENT_CLIENT_USER

MCPServer:

  • ARCHIVEMATICA_MCPSERVER_CLIENT_DATABASE
  • ARCHIVEMATICA_MCPSERVER_CLIENT_HOST
  • ARCHIVEMATICA_MCPSERVER_CLIENT_PASSWORD
  • ARCHIVEMATICA_MCPSERVER_CLIENT_USER

Storage Service when using sqlite3:

  • SS_DB_NAME
  • SS_DB_HOST
  • SS_DB_PASSWORD
  • SS_DB_USER

Storage Service when using MySQL:

  • SS_DB_URL

For Storage Service MySQL database see: Storage Service application-specific-environment-variables.

AtoM

In addition to changing the MySQL credentials, if you’ve also installed AtoM you’ll want to set the password for it as well. Note that after changing your AtoM credentials you should update the credentials on the AtoM DIP upload administration page as well.

Gearman

Archivematica relies on the German server for queuing work that needs to be done. Gearman currently doesn’t support secured connections so Gearman should be run locally or on a secure, isolated network. See issue #1345.

Sécurité des utilisateurs

We added support for two authentication backends in Archivematica 1.7: LDAP and Shibboleth. Authentication backends provide an extensible system for when a username and password stored with the user model need to be authenticated against a different service than the default.

This feature relies on the authentication infrastructure provided by the Django web framework. Check out their docs for more details!

Important

Please note that this is a new feature as of Archivematica 1.7 that has been minimally tested outside of the development environment. If you experience any problems with the feature, please consider creating a GitHub issue or creating a post in the Archivematica Google Group. The configuration mechanism has some rough edges so it is recommended for advanced users only.

Configuration du protocole LDAP

LDAP is a directory service protocol used for, among other things, authentication and authorization. This feature allows administrators to deploy the Archivematica Dashboard Django application with LDAP authentication.

This functionality has not been made available yet in the Storage Service.

LDAP backend configuration

  1. Enable the authentication backend using the environment variable ARCHIVEMATICA_DASHBOARD_DASHBOARD_LDAP_AUTHENTICATION. You can find more details about this environment string in the configuration document.
  2. Customize the ldap_auth.py settings module as needed. Open the file to find what are the existing environment variable lookups. You can inject the configuration via the environment string or changing the settings mode manually.
  3. Relancer le tableau de bord Archivematica.

Configuration de Shibboleth

Shibboleth is a federated identity solution that provides Single Sign-On authentication and authorization. This feature allows administrators to deploy both the Archivematica Dashboard and Storage Service Django applications with Shibboleth authentication.

Shibboleth backend configuration in Archivematica Dashboard

  1. Enable the authentication backend using the environment variable SS_SHIBBOLETH_AUTHENTICATION. You can find more details about this environment string in the configuration document.
  2. Customize the shibboleth_auth.py settings module as needed.
  3. Relancer le tableau de bord Archivematica.

Shibboleth backend configuration in Storage Service

  1. Enable the authentication backend using the environment variable SS_SHIBBOLETH_AUTHENTICATION. Assign a string value true to enable it.
  2. Customize the base.py settings module as needed.
  3. Relancer le Service de stockage.

CA certificates

Archivematica uses a HTTP library called Requests. There are two main approaches for dealing with the updates of the root CAs sets:

Upgrade the certifi package frequently

There are three virtual environments where Requests is used: MCPClient, Dashboard and Storage Service. This is how you can update certifi across the three environments:

$ sudo /usr/share/archivematica/virtualenvs/archivematica-dashboard/bin/pip install -U certifi
$ sudo /usr/share/archivematica/virtualenvs/archivematica-mcp-client/bin/pip install -U certifi
$ sudo /usr/share/archivematica/virtualenvs/archivematica-storage-service/bin/pip install -U certifi

The services need to be restarted after the update, for example if you are using systemd:

$ sudo systemctl restart archivematica-dashboard
$ sudo systemctl restart archivematica-mcp-client
$ sudo systemctl restart archivematica-storage-service

Use the environment string REQUESTS_CA_BUNDLE

Requests honours the environment string REQUESTS_CA_BUNDLE so the administrator can indicate a custom bundle which could be the system’s CA bundle.

  • The Ubuntu system’s CA bundle file is /etc/ssl/certs/ca-certificates.crt.
  • The CentOS system’s CA bundle file is /etc/pki/tls/certs/ca-bundle.crt.

On Ubuntu, add the following line to the /etc/default/archivematica-* files to use the system’s CA bundle:

REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

On CentOS, add the following line to the /etc/default/archivematica-* files to use the system’s CA bundle:

REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt

Trusting additional CAs

If you are using REQUESTS_CA_BUNDLE you may want to trust additional CAs.

On CentOS:

  • Copy the .crt file to /etc/pki/ca-trust/source/anchors on your CentOS machine.
  • Run the update-ca-trust extract command.

The /etc/pki/tls/certs/ca-bundle.crt file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.

On Ubuntu:

  • Copy the .crt file to /usr/local/share/ca-certificates on your Ubuntu machine.
  • Run the update-ca-certificates command.

This will create a new /etc/ssl/certs/ca-certificates.crt file.

Retour en haut de page