Operations Basics / Version 2412.0
Table Of ContentsMake sure that read and write rights for databases and for file systems containing CMS installations and data are reduced to a minimum.
Some CoreMedia components are configured to write heap dumps when they run out of memory, helping you to quickly diagnose critical failures. Make sure that the directories to which these heap dumps are written are properly secured, because heap dumps contain sensitive information like passwords, which might not have been disposed by the garbage collector.
Log files, too, must only be readable by an authorized staff. They can contain hints that help an attacker spot weaknesses.
The temporary directory of Java as configured by the system property
java.io.tmpdir
is used for some data.
Often it points to a directory that is writable by everyone.
Preferably, you should use a secured and isolated temporary
directory for each component.
Alternatively you can configure the storage directory paths
explicitly as far as they default to the temporary directory.
On some operating systems, java.io.tmpdir
is mapped to a directory that is regularly cleaned up
by the operating system. For short running processes this behaviour won't affect the application, but for
long-running processes, this may result in unintended cache data loss and application faults. To prevent this, you
should always configure cache locations such as the UAPI blob cache to a different directory outside of
these automatically cleaned paths.
The most important data storage locations are summarized in the following list:
the databases of all Content Servers and the Workflow Server,
if so configured, the blob stores of all Content Servers,
the stores of all MongoDB instances,
the input directories of importer processes,
the Solr home directory, which should be created before Solr is started so that it is does not default to the Java temporary directory,
if so configured, the serialization file of the Control Room in-memory store,
the temporary file stores of all Replication Content Servers, as configured in the
replicator.tmpDir
property,the blob caches of all Unified API connections as configured in the
repository.blobCachePath
property or theCap.BLOB_CACHE_PATH
connection attribute (defaulting to the Java temporary directory),the installation directories of all components,
the logging directories.