Professional Documents
Culture Documents
Relativity Server Security - 2022
Relativity Server Security - 2022
Relativity Server Security - 2022
Introduction
Security is essential when it comes to protecting data in an e-discovery software such as Relativity.
This document covers recommendations for securing Relativity through its infrastructure configuration and
front-end configuration.
If you have any questions about the content in this document, contact support via
https://community.relativity.com/s/contactsupport .
SQL Server
Performing regular SQL Server backups and maintenance is extremely important for ensuring optimization
of the server, redundancy of data, and consistency of data. We highly recommend taking the following
maintenance steps on every Relativity database:
• Perform Full and Transaction Log Backups on a schedule consistent with your company’s Recovery
Point Objective (RPO) and Recovery Time Objective (RTO).
• Regularly test both your backup and restore procedures to ensure you can meet your RPO and RTO.
• Perform DBCC CHECKDB Consistency Checks weekly or more often.
• Run the Relativity Index Optimize script nightly. This script is available in the Customer Community.
For more information on SQL Server maintenance, please read the following pages on our Documentation
site:
File Server
It’s important to take regular backups of anything stored on a File Server to ensure the redundancy of
Relativity data. These backups could include Natives and Images, the Cache, SQL Backups, dtSearch or
Analytics indexes, etc.
For more information on File Server backups, please read the following pages on our Documentation site:
Virtual Machine
Work with your Virtual Machine vendor to find the best maintenance approach for backing up or
snapshotting your brand of software.
Disaster Recovery
Reference the following documents in the Customer Community for an up-to-date summary of Relativity’s
Disaster Recovery options:
High Availability
It’s important to make sure Relativity has constant uptime, so users always have consistent access.
Multiple Servers
Use multiple servers where appropriate to help with maintaining uptime. For example, we recommend
having at least two web servers in each Relativity environment in case one fails. You can read more about
server requirements and recommendations on the System Requirements page of our Documentation Site.
Load Balancing
Relativity supports different methods of web load balancing and the ability to distribute user sessions across
multiple servers. You can read more about this in the Expanding your Relativity environment page on our
Documentation Site.
IIS Security
To harden your web servers, it’s important to consider IIS Security.
1. Open IIS.
2. Select the root site labeled as Default Website
3. Select the option HTTP Response Headers
4. Choose Add and enter the following entry in the dialog prompt:
a. IIS - Name “Strict-Transport-Security”; Value “max-age=31536000; includeSubdomains”
5. Repeat the steps above for the IIS site Relativity if applicable.
X-Frame-Options
Help to protect web application against clickjacking. It instructs the browser whether the content can be
displayed within frames. The Relativity web site in IIS sets to SameOrigin by default. We require SameOrigin
on the Relativity site because some Relativity resources use iframes.
1. Open IIS.
4. Choose Add and enter the following entry in the dialog prompt:
a. IIS - Name “X-Frame-Options”; Value "SAMEORIGIN”
5. Repeat the steps above for the IIS site Relativity if applicable. iisreset is required for the changes to
take effect
Referrer-Policy
Governs which referrer information, sent in the Referrer header, should be included with requests made. If
misconfigured can allow information leakage about the browsing session. Update the following:
1. Open IIS.
2. Select the root site labeled as Default Website.
3. Select the option HTTP Response Headers.
X-Content-Type-Options
Prevent browsers from interpreting files as a different MIME type to what is specified in the Content-Type
HTTP header (e.g. treating text/plan as text/css). Update the following:
1. Open IIS.
2. Select the root site labeled as Default Website
3. Select the option HTTP Response Headers
4. Choose Add and enter the following entry in the dialog prompt:
a. IIS - Name “X-Content-Type-Options”; Value “nosniff”
5. Repeat the steps above for the IIS site Relativity if applicable. iisreset is required for the changes to
take effect
X-Xss-Protection
The X-XSS-Protection header is currently deprecated and not supported by most major browsers.
1. Open IIS.
2. Navigate to the Default Website.
3. Double click on the HTTP Headers feature.
4. Select the ASP.NET X-Powered-By header.
5. Select Remove in the Actions pane.
9. On the right pane, double-click on 'View Server Variables...' and click 'Add'
11. Click Ok
12. Navigate back to Default Web Site and again click on 'URL Rewrite'
13. On the right pane, double-click on 'Add Rule (s)..' and double-click on Blank rule under Outbound
rules
HTTP Verbs
The following methods should be enabled to support business requirements.
• GET
• POST
• PUT
• DELETE
• PATCH
Other methods can be disabled:
• OPTIONS
• HEAD
• CONNECT
• TRACE
Disable HTTP methods:
For guidance on the implementation, please review the following page on our Documentation site: here
1. Open IIS.
2. Navigate to the Default Website.
3. Double click on the Directory Browsing feature.
4. Select Disable in the Actions pane.
5. Open IIS.
6. Navigate to the HTMLArea website under Default Website.
7. Right click on HTMLArea and choose Remove.
SQL Server
Relativity doesn't encrypt SQL data by default, so we recommend using Transparent Data Encryption (TDE)
to achieve this. Please read more about TDE in section 4 of this document.
Microsoft SQL Server can be configured to use SSL encryption to encrypt data in transit to other
applications.
Enabling the encryption is done by using the SQL Server Configuration Manager.
If you have several members of your team that use SQL Server Management Studio (SSMS) from different
locations, Microsoft also provides the ability to encrypt the connection of SSMS to the SQL Service.
For more information on SQL Server SSL encryption please click here.
Be aware that this type of encryption can slow down performance. It is recommended to
test the throughput and response time of a known workload with and without SSL
encryption.
If you are using a failover cluster for SQL, the certificate must have a fully qualified
domain name and installed on all nodes.
File Server
Some Relativity clients have chosen to leverage vendor-specific methods for Self-Encrypting Drives (SED)
or Whole Disk Encryption (WDE). Examples of these technologies include the SED SAN, which will
automatically perform full disk encryption when a write completes, and NetApp Storage Encryption (NSE).
Web Server
We recommend securing all Relativity web traffic with HTTPS. The HTTP binding can be completely
disabled and can force all users into accessing Relativity over HTTPS by setting the CookieSecure Instance
Setting to a value of True. The web server should also be configured to only use secure encryption
techniques, cipher suites, and key exchange mechanisms. Accomplish this by using the IIS Crypto tool.
Please refer to section 6.1 Recommended IIS Crypto Settings in the Appendix. For a more in-depth
description of TLS and its setup in Relativity, please refer to section 5 TLS Setup in Relativity in this
document.
Analytics Server
Relativity requires a trusted certificate for all HTTPS traffic on the Analytics server unless the Instance
Setting IgnoreCertificateErrors is set to False. When the CAAT service installs for the first time, however, it
runs over an untrusted SSL/TLS certificate. You can find the steps for replacing this certificate on
the Upgrading or installing your Analytics server page on the Documentation Site.
It’s also important to disable unsafe protocols and cipher suites that may be used by the CAAT service.
Follow these instructions to do this:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
A certificate for TLS is required by Microsoft when Windows Service Bus is first installed. Find more
information on the certificate requirements for Service Bus in the Service Bus for Windows Server section of
the Pre-Installation page on the Documentation Site.
Ensure version of Service Bus listed below is installed to enable TLS 1.2.
Network Firewall
The following section covers properly locking down unused ports, taking a baseline, creating a DMZ, and
disable the server message block protocol.
RabbitMQ Security
RabbitMQ is an alternative message broker to Service Bus for Windows Server. We recommend deleting
the guest user after installation of RabbitMQ. This can be done through the following steps.
Exclusions
Antivirus runs on Relativity servers should be configured to exclude specific programs and directories, so it
doesn’t interfere with Relativity. A list of these exclusions can be found on the Configuring the Windows
Server page on the Documentation site.
Relativity Servers
The only Windows accounts necessary for Relativity to function are the Local Administrator Relativity
Service Account and a Local Administrator account on each SQL Server to run the SQL Services. Your
organization should decide what other accounts are necessary and try to limit access as much as possible.
SQL Servers
The only SQL Server accounts necessary for Relativity to function are the System Admin account, the
EDDSDBO account, the RelativityScriptLogin account, and an ARM system admin account if installing the
ARM application. Your organization should decide what other accounts are necessary and try to limit access
Ensure you have the latest Microsoft Windows Server and .NET Service Pack (for .NET 4.6.2) installed on
all Relativity servers. Install any smaller security patches, Windows updates, etc. at your discretion.
Relativity only tests major service packs, but not every Microsoft update. Deploy any updates to your test
instance of Relativity first and ensure that a rollback plan is in place if any issues arise during deployment.
Ensure the option to Install updates automatically on all Relativity servers has been
disabled. Apply any required updates during a planned maintenance window.
To ensure Secret Store is used securely, follow best practices listed below:
i. ViewerFactoryWindowsUserId:
1. Name: ViewerFactoryWindowsUserId
2. Section: outsidein.api
3. Value Type: Text
4. Encrypt: Yes
ii. ViewerFactoryWindowsPassword:
1. Name: ViewerFactoryWindowsPassword
2. Section: outsidein.api
Note: Conversion Agent uses Windows service account in Relativity Server 2021. Starting with Relativity
Server 2022, Conversion Agent will be using restricted user as configured above.
We recommend implementing monitoring for unusual processes started by the Relativity Service account
and non-privileged Windows users.
AuditingEnabled
Summary - This setting controls enabling auditing throughout Relativity. Setting this value to True enables
auditing. Setting this value to False disables auditing.
Reasoning - Keeping detailed logs of all actions that take place in Relativity can protect your organization if
there is ever a need to troubleshoot an issue, investigate the actions of a particular user, etc.
CookieSecure
Summary - This setting controls how the web browser sends session information. If set to True, this
instance setting forces a web browser to send session information over HTTPS only. This flag is designed to
attach to sensitive cookies such as the session cookie ASP.NET_SessionId. When set to True, users cannot
log in to Relativity over HTTP.
Reasoning - If this setting is enabled, cookies, including sessions cookies, are encrypted over a secure
SSL/TLS channel instead of being sent in cleartext. Once set to TRUE, users must always access Relativity
over HTTPS instead of HTTP.
Recommendation - Set the value to TRUE unless you plan to use Windows Media Player to review media
files.
Reasoning - This prevents Relativity cookies from being susceptible to theft by cross-site scripting by
setting the HttpOnly flag on the cookies.
CookieDuration
Summary - This setting sets the number of minutes that the authentication cookie is valid. This value
controls the length of time that the users are logged in to Relativity before the system automatically logs
them off and requires them to re-authenticate. This configuration value supports a maximum setting of 1440
minutes (or 24 hours), and a minimum setting of 240 (or 4 hours). You must reset IIS for these changes to
take effect.
Recommendation - Default unless your organization wants to further limit the amount of time one user’s
Relativity session will last.
Reasoning - Limiting this value decreases the chance an attacker could compromise the authentication
cookie.
EnforceHTTPS
Summary - This setting controls how Relativity Service Host handles HTTP/HTTPS traffic. Values include
On, Off, and Warn. If set to On, this instance setting forces Service Host to use HTTPS only. If set to Off,
HTTP traffic is allowed. If Warn, the browser and all API endpoints will allow any traffic but will log a warning.
The default value is Warn.
Recommendation - Set the value to ON. Make sure to add a certificate to the Personal certificate store of
the Computer Account on all web and agent servers. If the certificate is self-signed, you must add it to both
the Personal and the Trusted Root Certification Authorities certificate stores for the Computer Account on all
web and agent servers. It is also a requirement that you edit the value of the KeplerServicesUri instance
setting and the KeplerServicesUriForAgents instance setting to reflect HTTPS. These instance settings are
detailed later in this document. For more information about setting up Relativity Service Host, please see
the Service Host Manager documentation on our Documentation site.
Reasoning - This requires Service Host traffic to be encrypted with SSL/TLS in order to not send in
cleartext.
KeplerServicesUri
Summary - This setting specifies the URL at which Relativity custom pages and event handlers can access
the Services API Kepler services using API helpers. The URL must end in a forward slash.
Example:
KeplerServicesUriForAgents
Summary - This setting specifies the URL at which Relativity agents can access local Services API Kepler
services using API helpers. The default port number (8990) can be changed if there is a port conflict with
some other server application. Secure connections are not supported at this time, but Relativity doesn't
secure connections at this time, but normal Relativity authentication protects the services.
Example:
Reasoning - We recommend setting EnforceHTTPS to True, this value needs to be updated so it has
HTTPS instead of HTTP.
ApplicationRestrictedFileTypes
Summary - This setting contains a semicolon-delimited list of file extensions (including dots) indicating file
types that users are prohibited from uploading as custom pages or resource files. Examples
include: .exe, .com, and .bat.
Recommendation - Use the default values plus any other file extensions your organization deems
necessary.
Reasoning - Add any file extensions to the list that your organization deems unsafe.
RestrictedFileTypes
Summary - This setting contains a semicolon-delimited list of file extensions, including dots, that prohibits
users from uploading to file fields (excluding Custom Pages). For example: .exe;.html
Recommendation - Use the default values plus any other file extensions your organization deems
necessary.
RestrictedNativeFileTypes
Summary - This setting contains a semicolon-delimited list of file types that prohibits users from uploading
to file fields (excluding Custom Pages). These values are regular expression enabled, so custom validation
behavior is also supported.
Recommendation - Use the default values plus any other file extensions your organization deems
necessary.
Recommendation - Set the value to FALSE unless you want all users with access to the Errors tab to see
full stack traces for errors. Set to TRUE for active troubleshooting situations.
Reasoning - It is more secure to hide the details of error messages, so users cannot see more information
than is necessary. Without hiding this information, software and server details could be revealed.
MOTDTextOnly
Summary - This setting controls how the Message of the Day (MOTD) is entered and displayed when a
user logs into Relativity. If set to True, the MOTD can only be entered and displayed as plain text. If set to
False, the MOTD can be entered and displayed using the full HTML editor.
Recommendation - Set the value to TRUE unless you want the ability to use JavaScript in this field.
Reasoning - By only allowing text in the Message of the Day box, cross-site scripting and cross-frame
scripting can be prevented.
SanitizeHTMLOutput
Summary - This setting controls sanitization fields with HTML on page render. If set to True, fields with
HTML are sanitized. If set to False, fields with HTML aren't sanitized.
Reasoning - All HTML input will be validated to prevent cross-site scripting and other types of malicious
attacks.
HTMLSanitizerWhitelist
Summary - This setting specifies strips all JavaScript. Strips HTML attributes that do not meet the approved
HTML markup. Setting the SanitizeHTMLOutput instance setting’s value to True invokes the
HTMLSantizierWhitelist. Recommendation - Remove more HTML markup from the list as necessary with
the assistance of Relativity Support. Contact support for help via
https://community.relativity.com/s/contactsupport .
Reasoning - Remove any HTML markup from the list that your organization doesn’t want users to use in
HTML fields.
TreatHtmlAndXmlAsText
Summary - This setting controls the content-type header returned by files with HTM or HTML extensions
from Relativity.Distributed. If set to True, the content-type is text/plain. If set to False, the content-type is
text/html. The default value is True. The net effect of setting this to True is that the Native radio button in the
review tool displays the raw markup of HTML files instead of rendering the content.
AllowHtmlVisible
Summary - This setting controls the accessibility of the Allow HTML property on Field objects. If set to
False, the Allow HTML property is hidden from the New Field page, and its value defaults to No. The Edit
Field page displays the property only if the field being edited already has the property's value set to Yes. If
set to True, there is unrestricted access to the Allow HTML field property.
Reasoning - This prevents administrators from allowing HTML as inputs into fields. By doing this, attackers
cannot input malicious HTML or scripts.
IgnoreCertificateErrors
Summary - This setting determines whether Relativity must validate the chain of trust of certificates when
running over HTTPs. Setting the value to True is a security vulnerability and should only be done in testing
environments. Recommended value is False.
MaximumPasswordAgeDefault
Summary - This setting determines the default value for the maximum password age when creating
password authentication providers.
Recommendation - Set this value to a number greater than zero so users are encouraged to change their
passwords after a certain number of days.
Reasoning - Password rotation can protect Relativity against passwords that may have been
compromised.
MaximumPasswordHistory
Summary - This setting determines how many password changes Relativity examines for duplicate
passwords. Setting this to a large value could prevent a user from ever using the same password twice.
Recommendation - Determine if your organization wants to limit users from reusing the same passwords
they have used in the past.
Reasoning - This can protect the Relativity environment from a previously compromised password.
AllowAddOrEditScripts
Summary - This setting determines whether create/edit is enabled for Relativity Scripts. The recommended
setting is False.
DeveloperMode
Summary - This setting controls developer mode options within an instance of Relativity. Setting this value
to True enables developer mode options. Setting this value to False disables developer mode options.
These options include disabling the cross-site request forgery (CSRF) header requirement in the API and
returning detailed error messages such as stack traces. Enable this setting only in a development
environment.
Reasoning - Setting this value to false will cause Relativity to enforce the cross-site request forgery (CSRF)
header requirement in the API and stop sending detailed error messages like stack traces.
AdminsCanSetPasswords
Summary - This setting sets the system admin's ability to create passwords for users. If True, they can
create the password. If False, they can't. You must manually create this instance setting because of it not
being installed by default.
Reasoning - This means only the user knows his or her password.
ReplaceCaseNameWithArtifactID
Summary - This setting controls whether the Case ArtifactID replaces the Case Name in the billing statistics
report. If set to True, the Application ArtifactID replaces the Application Name in the billing statistics scripts.
By default, the value is set to False, and the Case Name is displayed.
Reasoning - The case name reveals less information about the design of the software.
ReplaceApplicationNameWithArtifactID
Summary - This setting controls if the Applications ArtificatID replaces the Application Name in the billing
statistics report. If set to True, the Application ArtifactID replaces the Application Name in the billing statistics
scripts. By default, the value is set to False, and the Application Name is displayed.
Reasoning - The application name reveals less information about the design of the software.
AdditionalWorkFactorDefault
Summary - This setting sets the default value for the AdditionalWorkFactor setting in the Authentication
Provider Settings section of the Authentication Provider tab. It allows you to control the number of encryption
hashes. Relativity already provides several built-in hash levels represented by the default zero value.
Changing this value to 1, 2, or 3 adds additional encryption protection but may significantly increase login
time.
Reasoning - More hashing means better encryption, but increasing this value should be tested prior to
making the change in Production in case it increases login times.
MaximumAdditionalWorkFactorRestriction
Summary - This setting sets the maximum additional work factor that can be selected for the Password
Provider on the Authentication Provider Settings section of the Authentication Provider tab. It allows you to
control the max number of encryption hashes. Relativity already provides several built-in hash levels
represented by the default zero value. Changing this value to 1, 2, or 3 adds additional encryption protection
but may significantly increase login time.
Recommendation - Use the default setting unless your organization decides more hashing is necessary.
Reasoning - More hashing means better encryption, but increasing this value should be tested prior to
making the change in Production in case it increases login times.
MaxInvalidLoginAttemptsDefault
Summary - This setting determines the maximum number of login attempts a user can make with a given
username before Relativity locks that username.
Recommendation - Your organization should limit the number of login attempts that users have for
accessing Relativity.
Reasoning - It is more secure to have fewer attempts allowed, but too few attempts can be inconvenient for
users who forget their passwords.
PasswordResetEmailExpirationInMinutes
Summary - This setting defines how long (in minutes) password reset links remain valid after the email is
sent. Please note that it doesn’t affect links that have already been sent.
Recommendation - Your organization should limit the time the password reset link remains valid.
Reasoning - The longer the link remains active, the more risk it will be compromised by an attacker.
InvitationLinkLifetimeInMin
Summary - This setting determines the number of minutes the link sent in the Invitation Email remains
valid.
Recommendation - Determine how much time your organization is comfortable having links remain valid
before sending a new email.
Reasoning - The longer the link remains viable, the more chance it could be compromised.
ReplaceUserNameWithHashValue
Summary - This setting controls whether Relativity replaces the username portions of user email addresses
with hash values in billing information sent manually or sent automatically through the SMTP server. If set to
True, Relativity replaces all text preceding the @ symbol in each user email address with a unique hash
value. Domains remain unencrypted. If set to False, entire user email addresses appear. If you manually run
the billing script, the value you select in the interface overrides this instance setting.
Reasoning - This will hide the usernames and case names in Billing Data sent through the SMTP server.
ExportEscapedFormulasFromItemListDefault
Summary - This setting controls whether Excel macro syntax starting with the characters, [@=+-$], are
escaped. If set to Yes, Excel macro syntax starting characters, [@=+-$], are escaped. If set to No, Excel
macro syntax starting with the characters, [@=+-$], are not escaped.
Reasoning - This will ensure Excel macro syntax starting with [@=+-$] are always escaped.
SMTPSSLisRequired
Summary - If set to True, this instance setting forces all SMTP communication over SSL.
Reasoning - This ensures users cannot import files from workspaces they have no access to another.
Configure Authentication
Relativity uses several industry-standard technologies that enable versatile authentication options. It
supports local (such as password related) or external (such as smart card, or external identification provider)
authentication methods. You can add and enable each type individually and assign multiple authentication
methods to each user. Find more information about our supported forms of authentication in
our Authentication documentation on the Documentation site.
TDE is used to encrypt and decrypt the operations of SQL data and log files. A Database Encryption Key
(DEK) is used to encrypt and decrypt the data. The SQL server creates a certificate, and this certificate
signs the DEK. TDE allows developers to encrypt data using AES or 3DES encryption algorithms.
Ensure the proper SQL database backups are in place prior to moving forward with this procedure.
A database encrypted with TDE may see increases in the time it takes to compress backups and CPU
utilization with no guaranteed reduction in database size. Read more about his here.
Please note that databases enabled for Transparent Data Encryption (TDE) cannot take advantage of
Instant File Initialization, therefore, databases enabled for TDE should be set to auto-grow by 4096MB
instead of the default 10%. This is because large databases need to auto-grow by 10% without taking
advantage of Instant File Initialization. Leaving the default value can result in application timeouts during
each auto-grow.
Backups and backup plans of the databases that have Transparent Data Encryption
(TDE) enabled must be handled with caution to avoid corrupting the database.
When enabling TDE on a database, you must first back up the database before TDE is disabled on that
database. Otherwise, there is a chance of corruption. You cannot restore a backup of a database on another
instance of SQL Server if you disable TDE before you create the backup in SQL Server.
To create a case on a distributed SQL server or migrate a case that has TDE enabled, you must first disable
TDE on the database or transfer the security certificate used for the encryption from the server on which
TDE was enabled to the target SQL server on which the case is to be created.
Create Certificate
The certificate secures the databases. A certificate can be loaded from a file or assembly. This statement
can generate a key pair and a self-signed certificate.
Store these certificates or private key backups even if Transparent Data Encryption is not enabled. The
previously encrypted database may still have some needed information from the certificate and the key for
some operations.
The password that is used for the certificate backup is not the same password used to
encrypt the private key of the certificate.
--This is to open the master key, in case the certificate is locked because it
was not backed up when created
Open Master Key Decryption by Password = 'EnterPasswordHere'
-- Backup the certificate.
Backup Certificate RelativityTDE to File = '\\Path\Path\BackupFileName.bak'
With private key (
File = '\\Path\Path\ BackupFileName.pkbak',
Encryption by password = 'EnterPasswordHere')
go
When encryption is enabled on a database, that database must first be backed up before
encryption is to be removed. If TDE is enabled on a database and then disabled on that
same database before the database is backed up, there is a chance of corruption on the
database.
A certificate that has expired can still be used to encrypt and decrypt databases.
Consider database backup compression when using TDE. There is a high possibility that,
when using TDE and performing database backup compression, the size of the backup
might not be reduced.
A database encrypted with TDE may see increases in the time it takes to compress
backups and CPU utilization with no guaranteed reduction in database size.
You cannot restore a backup of a database on another instance of SQL Server if you disable TDE before
creating the backup.
Backup files of databases that have TDE enabled are also encrypted using the database encryption key. As
a result, when you restore these backups, the certificate protecting the database encryption key must be
available. This means that in addition to backing up the database, you must make sure that you maintain
backups of the server certificates to prevent data loss.
The databases being migrated must use the certificate created on the server where they were encrypted in
order for the SQL server to decrypt the databases.
--This will transfer the certificate from the Source SQL server. The source
SQL server is the primary SQL server where the database that is being restored
was originally encrypted.
Create Certificate RelativityTDE
From File = '\\KIE01\TDE Certificate\TDEcertificate.bak'
With Private Key (
File = '\\KIE01\TDE Certificate\TDEcertificate.pkbak',
Decryption by Password = 'Relativity1!')
Go
When encryption is enabled on a database, that database must first be backed up before
encryption is removed. If TDE is enabled on a database and then disabled on that same
database before the database is backed up, there is a chance of corruption on the
database.
Disable Encryption
First encryption must be removed from the database before removing the encryption key.
When decrypting the database, it is important to wait for the decryption to complete before removing the
database encryption key.
--You have the option of dropping the master key is it is not required for any
other certificate or database
Drop Master Key
Go
Overview
TLS is used when a client machine wants to securely communicate with a server. The type of
communication does not matter because TLS can be used with any TCP-based protocol such as web traffic,
e-mail, and VPN. The TLS protocol provides three important protections for the conversation between client
and server:
Certificates
A certificate is a cryptographic document that contains metadata about an entity. Although there are different
types of entities in the X.509 world, this discussion will focus on network services such as a web server. The
X.509 certificates are complex documents with many different attributes. Fortunately, there are a few key
attributes to focus on:
Each certificate must specify the subject or the list of DNS hostnames for which the certificate is valid. There
are several ways to specify the subject: a single domain name (www.relativity.com), NetBIOS name
(server01), multiple domain names (www.relativity.com, relativity.com), or using a wildcard (*.relativity.com).
Wildcard certificates are a popular option to protect multiple subdomains with a single certificate.
A Certificate must have an Issuer, which is the Certificate Authority that vouches for the certificate. The
Certificate Authority (CA) digitally signs the server certificate and the client validates that signature. This
establishes a chain of trust between the server, the client, and the Certificate Authority. The client only trusts
a specific list of CAs and the CA vouches for the server's certificate; through the chain of trust, the client will
then trust the server's certificate.
There are well-known Certificate Authorities such as Digicert and Lets Encrypt. These companies issue
certificates for publicly accessible websites. Administrators can also maintain an internal CA for use in
private networks.
Most people are familiar with the "Untrusted Certificate" message in web browsers. For a client (such as a
web browser) to trust a server certificate, several validation checks are performed including:
Once the client validates the server's certificate, a secure connection is negotiated. The client uses the
server's public key to send an encrypted message to the server. The server then decrypts the message
using its private key. This is an oversimplification because the TLS handshake contains many different steps
that are beyond the scope of this document, but the concept holds true. The public and private keys allow
the server and client to exchange private messages and negotiate a secure connection over an insecure
network such as the internet. After establishing the TLS session, the main data transfer can proceed.
Communication between the end user's browser and the Relativity web server is the most critical area to
secure. If your Relativity instance is exposed directly to the internet, meaning any public host can reach the
Relativity login page, then TLS is mandatory. Failure to secure internet-facing traffic will put an organization
at high risk for a security breach.
Even if Relativity is not exposed to the internet, we recommend that traffic between the browser and the web
server be secured via TLS. The Relativity authentication system requires TLS to provide security for the
login page. Therefore, TLS is appropriate and strongly recommended for corporate networks.
Once the traffic between the browser and the Relativity web server is secured, an organization has to decide
if the Relativity back-end must be secured. Some organizations consider the Relativity back-end to be a
trusted network, which means that TLS is not required. For this strategy to work, all back-end servers must
reside behind a firewall. The only network service that should be exposed through the firewall is the
Relativity web server; all back-end traffic should be blocked off. This approach limits Relativity's attack
surface from outside the firewall.
Increasingly, companies take the perspective that all networks are fundamentally untrusted. In this model,
security threats are expected to come not just from the outside but also from within the network. Attacks can
originate from another machine on the network that is compromised or from a malicious employee. Because
the internal network is considered untrusted, all front-end and back-end traffic must be secured. This
security model takes significantly more effort to maintain for an organization’s IT personnel. However, the
benefit is increased security at all layers of the infrastructure.
Ultimately, organizations need to decide about their security policy. The decision should be approached
thoughtfully based on these guidelines:
• Always secure public internet traffic with TLS. This is not optional.
• Strongly consider TLS for internal corporate networks.
• Based on your company's security policy and comfort level with TLS, consider securing Relativity's back-
end traffic as well.
Relativity administrators must ultimately choose the appropriate security model for their organization. Many
factors influence this decision including network topology, organizational policy, and desire to maintain a
certificate infrastructure.
Private Networks do not require any X.509 certificates, except for the Service Bus certificate discussed
earlier. Common use cases include test and development instances of Relativity as well as completely
disconnected from the internet, air-gapped networks. This topology is the simplest to configure, but it
provides no network-level security.
Front-end TLS
The Front-end TLS topology divides the architecture into two zones: trusted and untrusted. All traffic flowing
through an untrusted zone is encrypted using TLS.
The Relativity web servers straddle both zones. All front-end traffic to IIS is encrypted with TLS. Traffic to
Relativity back-end servers is not encrypted. The Relativity back-end is maintained by the administrator and
is typically protected by a firewall that puts it into the trusted zone.
Front-end TLS networks require a single certificate to be installed on every web server. If Relativity is
exposed to the internet, the certificate should be requested from a well-known certificate provider such as
Verisign. Self-signed certificates that are not trusted by the browser are not recommended.
To set up TLS Termination, you need to configure your load balancer to send the X-Forwarded-Proto header
and the X-Forwarded-For header to Relativity. It also must configure it to set the secure flag for all cookies
returned by Relativity.
End-to-End TLS
At the high end of the security spectrum lies End-to-End TLS. The principle behind this topology is to regard
the entire network as untrusted. As a result, all communication between any Relativity component should be
secured with TLS.
As in the TLS Termination approach, the load balancer handles the TLS communication with the browser.
When the load balancer forwards the traffic to Relativity, a separate TLS connection is established with the
web server. Likewise, when the Relativity web server needs to communicate with an API or the database,
that communication is encrypted with another TLS session. This pattern of encrypting each communication
hop continues throughout the infrastructure so that all network traffic is secured.
Certificate Authorities
As part of running Relativity, you may use a Certificate Authority that can generate certificates. This is
separate from a public CA such as Verisign or Thawte.
By contrast, private server networks are controlled environments. Using a public CA is costly, impractical,
and unnecessary in these circumstances. Administrators can easily create an internal Certificate Authority,
which gives complete control over certificates for the internal network.
A Relativity instance that is exposed to the internet will use both approaches:
Relativity only recommends FIPS when mandated by existing corporate or government policies. All other
environments should turn off FIPS (the default for Windows Server).
Appendix
Recommended IIS Crypto Settings
1. We recommend enabling following Ciphers:
a. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
b. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2. We recommend enabling following protocols
a. Enable:
i. TLS 1.2
b. Disabled: