Your web servers might capture and process sensitive data at any time, so you must constantly control access to data at rest and in transit, and secure all Acoustic™ Experience Analytics (Tealeaf) systems in your environment.
Administrators should be aware of any enterprise security policies that may be applied to any Acoustic Experience Analytics (Tealeaf) servers. Any one-time or periodic changes to user accounts, security policies, or other system configuration that may affect the performance or availability of Experience Analytics software should be monitored by application administrators.
For example, some customers may reapply all their security settings as a nightly job to all machines, which may disrupt configurations or fixes applied to Experience Analytics. These types of enterprise policies must be synchronized with the Experience Analytics team.
The Acoustic Experience Analytics (Tealeaf) CX Passive Capture Application is a passive network appliance that functions essentially as an advanced packet sniffer. The PCA maintains dedicated connections with the SPAN port or switch feeding data to it and should not have access to the wider Internet. As a result, security issues related to a web server having access to a live network connection do not apply.
openssl, which is integrated into the application and is not patchable.
The CX PCA is hosted on a separate Linux™ server, which can be secured by removing unneeded services and securing vulnerabilities.
The PCA provides the Web Console, a web interface for configuring the application. The web console can be configured to transmit traffic over HTTPS.
The web console is the PCA administration console and is not intended for deployment over the open Internet. The PCA web console does not see any of the capture traffic and is dedicated to its web management functions.
If desired, you can disable the PCA web console. Configuration of the CX Passive Capture Application
can then be applied through the configuration file (
If operating system changes are not possible or if editing the web console configuration file is problematic, through the console you can specify specific traffic addresses and ports to ignore. Wildcards are accepted.
The Web Console is served by a standard Apache server. If desired, security enhancements can be applied through Apache. For more information, please see the Apache documentation.
Applying enterprise private keys
To decrypt SSL communications, you must provide enterprise privacy keys. Experience Analytics loads an encrypted version of the privacy key and decrypts it internally using a provided hash key.
- Export the key in PEM format from any of the supported web servers.
- Set up Experience Analytics to use the exported key.
- You might also need to perform any of the following SSL key operations:
- Generate a self-signed certificate
- Generate a self-signed certificate using utility scripts
- Set up the transport service for SSL encryption
- Set up the Portal Status/Web Console certificate
- Remove or view certificate
- Validate PEM keys
Private keys can be added through SSL Keys tab on the web console, and you can review the keys that the PCA identifies as missing.
Secure communications with the processing server
The PCA can be configured to send secure communications (HTTPS/SSL) to the Acoustic Experience Analytics (Tealeaf) Processing server or servers in your environment.
When enabled, the PCA delivers hits over HTTPS using a private key provided to the CX Passive Capture Application.
Windows IIS Security
The Experience Analytics Web Application Utility manages installation of the Experience Analytics Portal and all file/group permissions required for IIS.
For enhanced security, you may consider purchasing and implementing an SSL certificate for the IIS web server to enable SSL access to the portal.
Windows server account permissions
Check the Microsoft Support site for information about permissions and user rights for IIS6, IIS 7.0 and later.
Configuring the Portal authentication mode
The Acoustic Experience Analytics (Tealeaf) Portal supports multiple modes of authentication:
- NT authentication
Experience Analytics can authenticate users using Active Directory through the NT domain with which it is associated and it inherits all of the security features of NT authentication.
- Portal authentication
The Portal provides its own authentication methods, in which user accounts are encrypted and stored in the Experience Analytics database. Portal authentication enables enterprises to separate user management from internal systems. Portal authentication supports MD5, RC2, or 3DES encryption algorithms.
- Single sign on
Experience Analytics supports integration with CA Siteminder or with other authentication providers that also use HTTP header requests. These credentials behave like Portal authentication credentials. SSO authentication is configured via external file stored in the Experience Analytics installation directory.
- Mixed Mode
In Mixed Mode, users can choose to login through Portal Authentication or NT Authentication modes. The login screen provides a link to switch between these login modes, so that administrators can use the security features of both modes, as needed.
To configure the authentication mode, complete the following steps:
- Log in to the portal as an administrator and navigate to TMS.
- Select the node.
- Select Shared configuration information. In the Config Actions pane, click View/Edit.
- Click the Portal tab.
Acoustic Experience Analytics (Tealeaf) installation directory
On each server, the installed Experience Analytics software components are stored in the Experience Analytics installation directory. This directory should be secured to prevent access by unauthorized local users and across the network. Only Experience Analytics administrators should have read-write access to the installation directory.
Defining password security
Depending on the Acoustic Experience Analytics (Tealeaf) modules that are enabled in your environment, one user account and one admin account are created by default.
Administrators can define various password security options through Portal Management for cxImpact, cxReveal, and cxView.
- To access these settings, navigate to Portal Management in the Portal menu.
- Select the appropriate settings to modify.Note: The cxImpact setting is on the CX Settings tab.
Acoustic Experience Analytics (Tealeaf) databases
Depending on the components that are installed for your Experience Analytics solution, the following database schemas must be secured from unauthorized access.
||Experience Analytics system configuration database.|
||Experience Analytics cxImpact reporting database.|
||Segment Session analysis database.|
||Experience Analytics Statistics database.|
All applicable schemas should be secured from unauthorized access. Passwords to these databases should be distributed only to authorized personnel.
By default, the Experience Analytics SQL database files are installed in the installation directory.
SQL Required Logins
Experience Analytics requires two SQL logins (
TLUSER) to complete installation and management tasks for the databases.
A SQL login with sysadmin privileges is useful but not required for installation. If the SQL login does not have sysadmin privileges, a DBA is required to run scripts to complete the login.
RTV is a Windows application installed on the local desktop, which provides search and replay capabilities to Experience Analytics users.
RTV makes requests to the Search Server to search and retrieve data. Depending on whether NT or Portal authentication is enabled, Search Server returns a different challenge string to which RTV responds in a way that's appropriate for the mode that it sees.
- For NT authentication, RTV uses the Windows account info of the current user.
- For Portal authentication, the username and password to use must be configured on the cxImpact tab in the Options screen. RTV requests are made using the HTTP protocol. Data that is returned to RTV is always encrypted.
Security best practices
In general, Portal authentication and NT authentication provide equivalent data and access security. Depending on your specific enterprise needs, you may find the following sections helpful in making your choices.
For each of the following components, Experience Analytics recommends the following security option for best results in securing data transmission across the network.
|CX Passive Capture Application Server||Enable SSL connection.|
|cxImpact Web Portal||Enable SSL on IIS.|
|IIS Webserver||Enable SSL on IIS.|
|Report server||Enable NT authentication.|
|Replay server||Enable NT authentication.|
Unauthorized login attempts
For each of the following components, Experience Analytics recommends the following security option for best results in securing the Experience Analytics Portal from unauthorized access.
|CX Passive Capture Application Server||
|Report server||Enable NT authentication.|
|Replay server||Enable NT authentication.|