Access to the DocuWare system and the file cabients is protected by a login procedure and by secure data exchange between the components.
Authentication checks and verifies the identity of the user who logs on. This also applies to IT components or applications that are to access the DocuWare system.
More information on setting up a locally installed DocuWare system in the White Paper On-Premises
More information on setting up DocuWare Cloud in the White Paper DocuWare Cloud.
Login Methods
Using DocuWare always requires logging in to the DocuWare Identity Service first. As a central service, it is responsible for logging into DocuWare for all organizations within DocuWare. The user must identify himself as authorized via name and password.
The Identity Service enables authentication via single sign-on (SSO). The client logs on to the external provider, which in turn generates a token for the DocuWare Identity Service. This token is stored in the browser until it expires or the browser cache is cleared. When the token expires, the customer must log in again to obtain a new token.
Communication between the components is encrypted via HTTPS.
It is also possible to force single sign-on. This means that users no longer have the option of entering login data manually. By enforcing SSO within DocuWare, multi factor authentication (MFA) can also be indirectly enforced, provided MFA is set up at the identity provider.
Passwords
In addition to the passwords of DocuWare users, the database server password and the password for the mail server are cryptographically stored securely so that only the server components can decrypt them. This is to keep them secure, even if you have users that have access to the database such as backup operators.
Technical implementation
The PBKDF2 algorithm (Password-Based Key Derivation Function 2) is used for password encryption. A hash function is applied to the password together with a salt value. The combination with a random value does not produce the same hash value even with two identical passwords. The function is then applied to the result several thousand times. This procedure makes it difficult for hackers to deduce the original password from the hashed value using brute force attacks.
Password Settings
The complexity of passwords within the organization can be specified in the security settings for the organization (up to and including version 7.11: in the organization settings in DocuWare Configuration). For example, passwords must then have at least one capital letter, one lower-case letter, one number and/or one special character. In addition, you can define the minimum length of the password, how many days it remains valid and how many incorrect entries are possible before the user account is locked.
It is recommended to set a minimum length of 14 characters for passwords as well as different character sets. It also increases security to use randomly generated passwords.
As of DocuWare version 7.12, a company-wide password policy is set up for new organizations that prevents users from using unsecure passwords.
The administrator of the organisation can disable the password time limit again for specific users in the user management area. This is particularly useful when services need to log on to a server as users.
If a user should forget his password, he can demand a new, automatically generated password sent by email via a link in the login dialog of the Web Client. The user can use this to log on to Web Client and set up a new personal password.
Users, including the organisation administrator, can not reset the password of other users. High-security-users have to restore their password for themselves.
Communication between Components
To prevent an external attack and the unauthorized access of data, it is important to secure the communication between the web-based client applications and the platform service with SSL/TLS (HTTPS).
In DocuWare Cloud, this is done automatically.
If you use a locally installed DocuWare system, you must carry out the following steps in IIS manager to configure the DocuWare Web components for HTTPS (SSL/TLS):
Import the certificate or certificates ("server certificate", "Import" action).
Adapt the website binding and make it accessible via SSL/TLS.
If necessary, remove the HTTP binding for security reasons (optional).