Tag Archives: DXP

Cyber Security

Cyber security tips for Portals – Generated by ChatGPT & GEMINI – Part 1

Leave a comment

Cyber security is a critical concern for portal applications, which often serve as gateways to a wide range of resources and services. Here are some vital tips to enhance the cyber security posture of portal applications:

1. Use Strong Authentication Mechanisms: Implement multi-factor authentication (MFA) to add an extra layer of security beyond just usernames and passwords. Consider integrating biometric authentication, security tokens, or one-time password (OTP) systems.

2. Encrypt Data In Transit and At Rest: Use strong encryption protocols like TLS (Transport Layer Security) for data in transit. For data at rest, ensure that databases and file storage are encrypted using robust encryption standards.

3. Regularly Update and Patch Systems: Keep all software components, including the web server, database, and any third-party libraries, up to date with the latest security patches. Regular updates protect against vulnerabilities that attackers could exploit.

4. Implement Access Control and Authorization: Use role-based access control (RBAC) to ensure that users can only access information and functionalities relevant to their roles. Principle of least privilege should be strictly followed.

5. Secure APIs: If your portal interacts with other services through APIs, ensure those APIs are secured against common threats as defined by the OWASP API Security Top 10. Implement API rate limiting, access control, and ensure sensitive data is not exposed unnecessarily.

6. Conduct Regular Security Audits and Penetration Testing: Regularly assess the security of your portal application through audits and penetration testing. This helps identify and mitigate vulnerabilities before they can be exploited.

7. Protect Against Web Application Attacks: Use web application firewalls (WAF) and secure coding practices to protect against common web application attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

8. Monitor and Log Activity: Implement comprehensive logging and monitoring solutions to detect suspicious activities early. Regularly review logs for anomalies and signs of breaches.

9. Secure Session Management: Ensure secure session management practices are in place, including secure cookie handling and session timeout policies to prevent session hijacking and fixation attacks.

10. Educate Users: Conduct regular cybersecurity awareness training for all users of the portal. Educating users about phishing, safe browsing practices, and the importance of strong passwords can significantly reduce security risks.

11. Backup Data Regularly: Regular backups are essential for recovery in case of a cyber attack leading to data loss. Ensure backups are secure and tested regularly for integrity.

12. Compliance and Privacy: Ensure compliance with relevant legal and regulatory requirements, such as GDPR, HIPAA, or CCPA, which may dictate specific security and privacy measures.

Implementing these security measures can significantly reduce the risk of cyber attacks and data breaches in portal applications. Continuous attention to security, regular updates, and educating users are key components of a robust cyber security strategy.

Here’s a breakdown of cybersecurity tips specifically tailored for portal applications:

1. Authentication and Authorization

  • Strong Passwords: Enforce complex password policies (length, special characters, periodic changes). Consider password managers to help users.
  • Multi-Factor Authentication (MFA): Add an extra security layer with MFA (e.g., SMS codes, authenticator apps, hardware keys).
  • Role-Based Access Control (RBAC): Define granular access permissions based on user roles and responsibilities to limit the impact of any compromised account.
  • Session Management: Implement idle session timeouts and proper logout mechanisms to prevent unauthorized access.

2. Secure Coding Practices

  • Input Validation: Sanitize all user input to prevent injection attacks like SQL injection and cross-site scripting (XSS).
  • Output Encoding: Encode output to mitigate XSS vulnerabilities.
  • Secure Development Lifecycle (SDLC): Integrate security from the design phase, through development and testing. Include regular vulnerability scanning.
  • Use Established Frameworks: Choose well-maintained frameworks that prioritize security.

3. Encryption

  • HTTPS Everywhere: Use TLS (HTTPS) to encrypt all portal traffic in transit, protecting sensitive data.
  • Data at Rest Encryption: Encrypt sensitive data stored within databases or file systems.
  • Password Hashing: Store passwords using strong, salted hashes (like bcrypt, scrypt), never in plain text.

4. Network Security

  • Firewalls: Implement network and web application firewalls (WAF) to filter out malicious traffic.
  • Intrusion Detection/Prevention (IDS/IPS): Monitor network activity for anomalies and block potential attacks.
  • Segmentation: Separate sensitive areas of your network to minimize the attack surface.

5. Vulnerability Management

  • Regular Patching: Keep operating systems, web servers, frameworks, and third-party libraries up-to-date with security patches.
  • Penetration Testing: Conduct regular penetration testing to discover and address vulnerabilities proactively.

6. Logging and Monitoring

  • Extensive Logging: Implement comprehensive logging of authentication attempts, user activity, configuration changes, and security events.
  • Centralized Log Management: Use a SIEM (Security Information and Event Management) system to collect and analyze logs for anomalies.
  • Auditing: Regularly audit logs to identify potential security breaches.

7. Incident Response

  • Have a Plan: Develop an incident response plan for handling suspected breaches quickly and effectively.
  • Clear Communication: Establish clear communication channels internally and for reporting incidents to users or authorities if necessary.

8. User Education

  • Security Awareness Training: Educate portal users about phishing, social engineering tactics, password hygiene, and how to spot suspicious activity.

Additional Considerations:

  • Zero-Trust Approach: Adopt a zero-trust model where no user or device is inherently trusted. Verify and authenticate continuously.
  • Data Minimization: Collect only the data absolutely necessary for the portal’s functionality.

Remember: Cybersecurity is an ongoing process. Stay up-to-date with emerging threats and continuously evaluate your portal’s security posture.

Let me know if you’d like more details on any of the specific tips or want to discuss specific portal technologies!

Liferay

Performance tuning in Liferay – Part 1

Leave a comment

Expanding on my post here on performance tuning: Post | Feed | LinkedIn

Below are the main points to work on for a performance tuning engagement in Liferay – Part 1.

  • Firstly, we need to find out what is slow: Database, service calls, elastic search, memory is an issue, threads are blocked / waiting, how much memory is a module taking, logs are printing what, etc.
  • Check your configurations as per this post: How to debug Liferay? – Some pointers – Part 1 | LinkedIn
  • Install Glowroot if possible, in central pattern and check following sections in it: slow traces, errors, service calls, threads, heap, instrumentation, configurations and so on for the problem timeframe.
  • You can enable tracing in logs & Glowroot instrumentation on targets. You can also use plugins by Fabian Bouché like for fragment analysis or follow his blogs on www.liferay.dev/blogs for using Glowroot in upgrades.
  • The above will give you hints on what is slow. Especially open the FLAME graphs and threads along with heap dumps to analyze which threads are blocked or waiting, how much memory is allocated to what in slow traces of modules and so on.
  • Then run a load test in simulated environment after checking compatibility matrix to get latest statistics for various scenarios like web content on portlet or in fragment, API calls, integrations, heavy load on Elasticsearch and so on with experimentation on themes.
  • After getting the slow threads and details in flame graphs plus slow traces, if it’s custom code or configuration or DB call or ES which is slow, optimize it like Hikari pool connections or if it’s source code of Liferay, open the GITHUB repo for Liferay portal, check the source code and reach out of Customer Success / Global Services / Support with inferences depending on your engagement in account. Your Customer Success Manager or Sales can guide you on this.
  • GS / CS will work internally in Liferay to get you the best options and / or patches in case they already exist. Many a times this could also have been fixed in a Hot fix or Fix Pack already. Alternatively, configurations could also solve such problems many a times. To check these go to Liferay customer portal and check the changelog for fix packs. You can also refer to Liferay Learn and Help Center for help articles and tutorials.
  • Various areas of performance tuning: Database, HTTP calls, App server, ElasticSearch, Threads, Heap optimization, Caching and more. We will follow up this post with more pointers on performance tuning in Part – 2. A good list of areas is to check in the deployment guide for your version.
  • Thanks to Fabian Bouché David Nebinger and many more at Liferay Global Services / Support / Customer Success and Customer Support / Engineering due to which I am able to compile the above. Above is a compilation of work from many sources internally in Liferay via work with customers & externally which hopefully should help many of Liferay customers and partners. This also serves as a case study on performance tuning.
  • Email me: Neil@HarwaniSystems.in
Liferay

Liferay clustering – Part 1

Leave a comment

Notes on Liferay clustering:

Email me: Neil@HarwaniSystems.in

AIML, Liferay

Liferay & AIML / Generative AI – Part 1

Leave a comment

What all is possible with Liferay & AIML / Generative AI? – Part 1. Liferay being open source we can integrate GAI / AIML with Liferay for:

  • Generating content & images in web content section
  • Generating automated blogs, tags, categories and UIUX flows
  • Assistant which could redirect us to relevant help pages
  • Assistant which could suggest which portlets or features to use from documentation
  • Assistant for suggesting configurations of Liferay
  • Intelligent chatbot which is domain specific
  • Assistant for fault finding & log analysis recommendations
  • Assistant for detecting status of liferay, integrations, file store & database
  • Assistant for analysis of networked components like web server, CDN, hosting / cloud and so on
  • List is endless and this seems to be the just the start of this new area of integrating AIML / GAI into enterprise applications for monitoring, suggestions and assistance

Refer my earlier blog for what kind of disclaimers might be required when working with GAI: What points can be part of fair use disclaimer for Generative AI? – Part 1 | LinkedIn

Email me: Neil@HarwaniSystems.in

Liferay

Checklist for DMS Use Case in Liferay

Leave a comment

Find below a checklist for Liferay’s DMS (Document Management System) Use Case:

  • Size your document average size, range of size, number of documents, type, viewers, thumbnail requirements early
  • Decide the workflow templates for start plus growth per quarter & estimated workflow instances per day / week / month in advance which will run on your documents
  • Size your file store and decide on SAN / NAS requirements early based on latency / size of documents / number of folders and so on
  • Switch to advanced file store early if you have large number of documents – this is preferrable right from the start
  • Consider adding multiple repositories in advance if you have multiple file stores and a very large number of documents across repositories
  • Use case of DMS specific software other than Liferay working alongside Liferay mounted via CMIS protocol should be considered early incase of very large number of documents across repositories
  • Full text / partial / multilingual search requirements should be planned early
  • Scanning integration if needed should be considered
  • Anti-virus considerations should be considered depending on use case
  • Response times should be calculated based on network latency for all users
  • Mobile, responsive, desktop, laptop / universal views for documents need to be planned
  • Cloud deployment use case in terms of blob storage / file store considerations should be done early
  • Separate Elasticsearch should be planned
  • Access control, confidentiality, digital rights management related planning and requirements should be done as a prerequisite
  • Liferay file store, Elasticsearch, data folder, filesystem and database should not be directly worked on – We should work via Liferay UI/Control Panel/Groovy/API and so on. Exceptions are there like reindexing problems, performance tuning and so on but they should be more exceptions than norm.
  • Include backup/restore in sync with database. Also in DR.
  • Leverage Ghostscript and Open Office / Libre Office for text extraction and conversion.
  • Include clam-av for portal-based scans when uploads are supported from external sources.

Email me: Neil@HarwaniSystems.in

Liferay

How to debug Liferay? – Some pointers – Part 1

Leave a comment

How to debug Liferay? Some pointers. – Part 1. Many a times, we only check at specific places and forget other areas while debugging. This small blog acts as a checklist to check and debug Liferay.

  • Look at installing and using GLOWROOT
  • Check the slow traces / web transactions / errors and the related graphs in GLOWROOT
  • Check the logging levels module wise and overall
  • Check all the Liferay nodes if in a cluster
  • Check the app server logs
  • Check JNDI & JDBC settings
  • Check the things by simulating on default vanilla instance / bundle
  • Use help center articles
  • Check your webserver, load balancer and database configurations plus logs
  • Check your portal & system properties
  • Check configurations in control panel for the related work
  • Check your custom API list
  • Check details via GoGo shell commands
  • Check the code in Liferay DevStudio or your favorite IDE
  • Check marketplace apps that are installed
  • Consider using Groovy scripting for debugging
  • Check virtual instances if in use
  • Check OSGI configurations if added
  • Check your elastic search server status
  • Check your heap size and thread dumps plus configurations in setenv.sh/bat

Blog also gives you an idea on the configurability and extent of Liferay modularity. It makes our work easier when many of the things are configurable.

References:

Liferay

Liferay upgrade learnings – Part 1

Leave a comment

Some learnings below from various Liferay upgrades that I have been part of:

  • Upgrades need us to plan various dry runs in advance on non-production environment
  • Divide your upgrade between core / database and non-core upgrade
  • Core includes Liferay engine, configurations and database
  • Non-core includes themes, custom code, integrations and such
  • Understand how to use database upgrade tool for core upgrade
  • Logging of upgrade should be at much more verbose level than normal
  • You can upgrade with document library or without it using portal-ext.properties configurations
  • Upgrades between DXP from 7.x to 7.x are easier whereas upgrades from 6.x to 7.x need more planning
  • For database upgrade tool, you have an option of 3 property files or you can use command prompt to enter required details
  • Make sure you are at the latest version of whichever 7.x you are upgrading to
  • Bad and corrupt data are perpetual problems which need to be analyzed properly before upgrade
  • Use groovy to fix bad data not SQL
  • Consider analysis and compliance from Liferay compatibility matrix, Liferay whitepapers on cloud, security, upgrade & scaling before planning your upgrade
  • Create a template document for upgrade with all major areas pre-covered in analysis via the whitepapers on Liferay.com
  • Understand the breaking changes with every major version release
  • Learn to use the upgrade planner for code upgrade
  • Docker containers are available and should be considered
  • Consider headless, clustering, cloud, advanced file store, CMIS repository options right at the analysis phase of Liferay upgrade
  • For your data storage requirements in future as per scaling – understand and analyze the load to confirm to the right choices of infrastructure like Cloud, SAN / NAS and so on
  • Learn to use the basic Linux commands (if you are using Linux) like top, free, tail, ps, grep, liferay bin commands, sudo, vim, thread dumps and such to monitor / manage the upgrade well
  • Look at top thread dump analyzers like: Smart Java thread dump analyzer – thread dump analysis in seconds (fastthread.io)
  • Consider learning basics of operating system / network you are using, JVM & database tuning / optimization for threads, core allocations, monitoring and using Eclipse IDE to analyze threads, heap, etc.
  • Keep reference guide for system.properties and portal-ext.properties handy during upgrade of core part
  • Keep headless, GraphQL, Liferay / Java API details handy during code upgrade
  • Explore 7.4 DXP features if you are upgrading to this version: Liferay DXP 7.4 New Features
  • Refer help center articles and open documentation both, they have lot of good, useful content
  • Reference: Upgrade Basics — Liferay Learn

Email me: Neil@HarwaniSystems.in

Liferay

Liferay best practices – Part 1

Leave a comment

Developers and managers both struggle at times to pre-plan usage of best practices in projects causing many problems which are best avoided. Providing below some learnings & best practices on using and working with Liferay – Part 1.

  • Don’t work directly on the Liferay database. Use the groovy script console in CONTROL PANEL or the Liferay User Interface. Use the database at the max as a READ ONLY tool for analysis and debugging – even this is for extreme cases when recommended like for problems in reindexing and such for BackgroundTaskTable or Lock_ as per Help Center articles only. Stick to Liferay APIs (REST or Java / Groovy – based) for right results. Changing anything at database level can have unintended consequences which are best avoided.
  • If you need a cloud offering, instead of deploying Liferay on AWS / GCP / Azure or similar on your own which can be a valid option, also consider and evaluate one of Liferay DXP Self Hosted, Liferay Experience Cloud Self-Managed or Liferay Experience Cloud. They are built on top of GCP with many advanced features pre-baked like CI/CD depending on the version you select. Liferay’s cloud offering decrease many of the efforts of upgrades, infrastructure, security, patches, CI/CD, monitoring and more depending on which option you select.
  • Use as many out of the box features as possible, followed by configuration and lastly customization. There are 100s and 1000s of direct and indirect features for Liferay available on it’s documentation site.
  • Support tickets are for Liferay product issues, reach out to Customer Success for short term engagements up to multi-month configuration, system administration, customization, audits and such areas. Global services is for executing projects, SME engagements to embed a Liferay expert into your team for technical help, team augmentation, custom packages to support upgrades, performance tuning, DevOps/Architecture kickstarts, long- and short-term customization development, etc. on Liferay. Reaching out to the right team maximizes chances of a fast resolution for your request. For support issues, refer this blog: https://liferay.dev/blogs/-/blogs/working-with-liferay-support
  • Maintain a DevOps / DevSecOps / Repository strategy. Use best practices of code merging, quality and more.
  • Maintain a list of customizations, custom APIs (REST) and modules that are deployed.
  • Consider headless if you want extreme performance or a very specific User Interface with a non standard JS library or you want to connect with an external app with Liferay as the engine or want a very high LightHouse score. Even without headless high scores are possible in most areas.
  • Understand LightHouse and PageSpeed Insights score. There are many hidden things which are NOT OBVIOUS – for example mobile performance scores. Consider investing in parallel into an in-house monitoring tool as well.
  • Upgrades need preparation and multiple dry runs. Bad data, orphan data and bad customizations create problems in upgrade. So use Liferay in the optimum way as per documentation.
  • Keep regular watch on End of Life support and premium / extended support phases. Pre-plan your upgrades by at least one+ years.
  • Lift and shift from in-prem to cloud is not a healthy approach using AMIs. Consider setting up Liferay again via backups if you are shifting to AWS/GCP/Azure from in-prem. Otherwise consider Liferay Experience Cloud, migration would still be needed though.
  • Search & database server should be monitored and optimized on routine basis.
  • Search optimization needs to be a regular habit by the Liferay Administrator as the content and documents get updated. Explore concepts like suggestions, boosting, queries, filters, blueprints and more.
  • SSO, Authentication, Authorization, Login and Security need advance planning and design. These topics vary widely from customer to customer.
  • There are many inbuilt apps in areas of collaboration, social, workflow, content, process, documents and more. Explore and use them before doing customizations.
  • Explore Liferay marketplace for technical & functional accelerators / solutions before investing in developing from scratch.
  • Maintain documentation for your architecture, design, customizations, testing, security, code quality and other areas.
  • Understand and study portal & system properties, they have many settings which can help in managing various scenarios directly by configuration only.
  • Explore Liferay University and trainings on it.
  • Clustered environments are possible in Liferay and consider planning for them right during your architecture, design phase at the start of project rather than later.
  • Consider usage of Advanced or S3 filestore, Clustering, Headless, Liferay DevStudio, Docker images of Liferay, Virtual instances and similar advanced concepts as need be from early in the project.
  • Understand Liferay architecture, tooling and internals like Portlets, OSGi, Liferay DevStudio, Configurations, Control Panel, Gogo Shell, Module projects, Dependencies, Modularity and such.
  • Your important directories and areas in Liferay are: Liferay Home and sub-directories, Filestore / document library – data folder, Custom modules, Configuration files in Liferay Home sub/directories, Search server, Control Panel, Database, Other peripheral configuration areas like load balancer, application server, networking, clustered environments and such.
  • Learn to use the Liferay forums, Liferay Blogs, Liferay GitHub, Liferay Help Center, Liferay Community site, Customer & Partner portals of Liferay well. Lot of useful information is available there.
  • There are in-built areas in the same integrated DXP installation from 7.4 onwards for Digital experience, Portal, Commerce with Analytics. Consider using them from DXP platform before doing customizations for features that are available already.
  • Explore concepts like debug patch, logging per module and overall logging in Liferay.
  • Reach out to community slack channel which can be a great way to further connect with Liferay resources.
  • Keep your portal & components updated with relevant patches & upgrades as per advisory from Liferay.
  • Refer Liferay resources page with case studies & whitepapers. It has useful information on cloud migration, compatibility matrix, benchmarking, what customers are doing with Liferay and more.

References:

  • https://help.liferay.com/hc/en-us
  • https://liferay.dev/
  • https://learn.liferay.com/dxp/latest/en/liferay-internals.html
  • https://learn.liferay.com/dxp/latest/en/index.html
  • https://help.liferay.com/hc/en-us/categories/5843406636941
  • https://marketplace.liferay.com/
  • https://www.liferay.com/liferay-experience-cloud
  • https://learn.liferay.com/dxp-cloud/latest/en/index.html
  • https://www.liferay.com/resources/case-studies
  • https://www.liferay.com/resources

Email me: Neil@HarwaniSystems.in