The AM installation process creates the Top Level Realm (/), which contains AM default configuration data. This realm cannot be deleted or renamed, since it is the root of the realm hierarchy in AM.
Consider the following list of security best practices related to realms:
- Disable Module-based Authentication
Module-based authentication lets users authenticate using the
module=module-namelogin parameter, therefore bypassing multi-factor authentication if multiple modules are configured in a chain with the same
To disable module based authentication, navigate to Realms > Realm Name > Authentication > Settings > Security, and clear the Module Based Authentication check box.
- Deactivate the Anonymous User
The anonymous user is enabled by default. To harden security, deactivate the anonymous user, unless anonymous access is specifically required in your deployment. See How do I deactivate the default anonymous user in AM.
- Create Strong Authentication Trees
Ensure your users log in to AM using sensible authentication trees, such as trees that enforce multi-factor authentication.
- Configure Sensible Default Authentication Services
By default, users that log in to the console make use of the chain or tree configured in the Organization Authentication Configuration property for the realm. To locate this property, navigate to Realms > Realm Name > Authentication > Settings > Core.
Special care must be given when setting your default authentication tree or chain.
If you leave the default authentication to the
ldapServicechain, users can still post their username and password into the authentication endpoint to retrieve a session, regardless of the services configured for authentication.
For example, consider a deployment where you disable module-based authentication and keep the default authentication chain to the out-of-the-box
ldapStoreauthentication chain using
DataStoremodule. If you have set up two factor authentication for your users, your users can still access their accounts without performing the correct two factor authentication chain login sequence by using the default
When you set the default authentication tree or chain, make sure it is set to your most secure tree or chain once you are ready to go to production and not left to the default
Ensure that you change the default for all realms, including the Top Level Realm.
About the Demonstration User
When installing AM for evaluation, using the embedded DS server, a
demo user is created. This is a regular account with no administrative permissions and is intended for test and demo purposes. You should remove it from production environments.
To remove the
demo account, navigate to Realms > Top Level Realm > Identities, select the
demo account, and select