General Security Considerations for AEM Forms on JEE general-security-considerations-for-aem-forms-on-jee

This article provides introductory information that helps you prepare for hardening your AEM Forms environment. It includes prerequisite information about AEM Forms on JEE, operating system, application server, and database security. Review this information before you continue to lock down your environment.

Vendor-specific security information vendor-specific-security-information

This section contains security-related information about operating systems, application servers, and databases that are incorporated into your AEM Forms on JEE solution.

Use the links in this section to find vendor-specific security information for your operating system, database, and application server.

Operating system security information operating-system-security-information

When securing your operating system, carefully consider implementing the measures described by your operating system vendor, including the following:

  • Defining and controlling users, roles, and privileges
  • Monitoring logs and audit trails
  • Removing unnecessary services and applications
  • Backing up files

For security information about operating systems that AEM Forms on JEE supports, see the resources in the table:

Operating System
Security Resource
IBM® AIX® 7.2
IBM® AIX® Security Benefits
Microsoft® Windows Server® 2016
Windows Server 2016 Security Guide
Red Hat® Linux® AP or ES
Red Hat® Enterprise Linux® Security Guide
Sun Solaris™ 11
Security and Hardening Guidelines
Oracle Linux® 7 Update 3
Security Guide for Release 7
CentOS 7
Protection documentation

Application server security information application-server-security-information

When securing your application server, carefully consider implementing the measures described by your server vendor, including the following:

  • Using non-obvious administrator user name
  • Disabling unnecessary services
  • Securing the console manager
  • Enabling secure cookies
  • Closing unneeded ports
  • Limiting clients by IP addresses or domains
  • Using the Java™ Security Manager to programmatically restrict privileges

For security information about application servers that AEM Forms on JEE supports, see the resources in this table.

Application Server
Security Resource
Oracle WebLogic®
Search for Understanding WebLogic Security at
IBM® WebSphere®
Securing applications and their environment
Red Hat® JBoss®
Security subsystem configuration

Database security information database-security-information

When securing your database, consider implementing the measures described by your database vendor, including the following:

  • Restricting operations with access control lists (ACLs)
  • Using non-standard ports
  • Hiding the database behind a firewall
  • Encrypting sensitive data before writing it to the database (see the database manufacturer’s documentation)

For security information about databases that AEM Forms on JEE supports, see the resources in this table.

Security Resource
IBM® DB2® 11.1
DB2® Product Family Library
Microsoft® SQL Server 2016
Search the Web for "SQL Server 2016: Security"

MySQL 5.0 General Security Issues

MySQL 5.1 General Security Issues

Oracle® 12c
See the Security chapter in the Oracle 12g documentation

This table describes the default ports that are required to be open during your AEM Forms on JEE configuration process. If you are connecting over https, adjust your port information and IP addresses accordingly. For more information about configuring ports, see the Installing and Deploying AEM Forms on JEE document for your application server.

Product or service
Port number


WebLogic Managed Server

Set by administrator during configuration



9060, if Global Security is enabled the default SSL port value is 9043.



BAM Server















SQL Server




The port on which the LDAP server is running. The default port is typically 389. However, if you select the SSL option, the default port is typically 636. Confirm with your LDAP administrator which port to specify.

Configuring JBoss® to use a non-default HTTP port configuring-jboss-to-use-a-non-default-http-port

JBoss® Application Server uses 8080 as the default HTTP port. JBoss® also has pre-configured ports 8180, 8280, and 8380, which are commented out in the jboss-service.xml file. If you have an application on your computer that already uses this port, change the port that AEM Forms on JEE uses by following these steps:

  1. Open the following file for editing:

    Single-Server installation: [JBoss® root]/standalone/configuration/standalone.xml

    Cluster installtions: [JBoss® root]/domain/configuration/domain.xml

  2. Change the value of port attribute in the <socket-binding> tag to a custom port number. For example, the following uses port 8090:

    <socket-binding name=“http” port=“8090”/>

  3. Save and close the file.

  4. Restart the JBoss® application server.

It is recommended to use the ‘Ctrl + C’ command to restart the SDK. Restarting the AEM SDK using alternative methods, for example, stopping Java processes, may lead to inconsistencies in the AEM development environment.

AEM Forms on JEE security considerations aem-forms-on-jee-security-considerations

This section describes some AEM Forms on JEE-specific security issues that you should know about.

Email credentials not encrypted in database email-credentials-not-encrypted-in-database

The email credentials stored by applications are not encrypted before they are stored in the AEM Forms on JEE database. When you configure a service endpoint to use email, any password information used as part of that endpoint configuration is not encrypted when it is stored in the database.

Sensitive content for Rights Management in the database sensitive-content-for-rights-management-in-the-database

AEM Forms on JEE uses the AEM Forms on JEE database to store sensitive document key information and other cryptographic material that is used for policy documents. Securing the database against intrusion helps to protect this sensitive information.

Password in clear text form password-in-clear-text-format-in-adobe-ds-xml

The application server that is used to run AEM Forms on JEE requires its own configuration for access to your database through a data source that is configured on the application server. Ensure that your application server does not expose your database password in clear text in its data source configuration file.

The lc_[database].xml file should not contain password in clear text format. Consult your application server vendor about how to encrypt these passwords for your application server.

The AEM Forms on JEE JBoss® turnkey installer encrypts the database password.

IBM® WebSphere® Application Server and Oracle WebLogic Server may encrypt data source passwords by default. However, you should confirm with your application server documentation to ensure that it is happening.

Protecting the private key stored in Trust Store protecting-the-private-key-stored-in-trust-store

The private keys or credentials imported in Trust Store are stored in AEM Forms on JEE database. To secure the database and restrict access to designated administrators only, take appropriate precautions.