Security architecture

Collibra Data Intelligence Cloud is by default a very secure application, but it offers some extra configuration options to make Collibra meet your organization's security level.

For more information about setting the security options, see Security configuration.

Passwords

User passwords are never stored in plain text, nor in encrypted form. Only a salted hash is stored in the database, so that users can be authenticated:

  • The salt is constructed with a fixed salt, concatenated with a private salt. The private salt changes constantly and is stored in the database next to the hash.
  • The SHA-512 algorithm is used for hashing.
  • 10 000 iterations are executed to get an extremely secure hash.

This means that passwords cannot be recovered in any way.

The password specifications are set in Collibra Console. The passwords are encrypted the first time they are read, which is during server start-up.

This way, you can type passwords in plain text but you prevent malicious use.

There are no other locations in the product where passwords or other credentials are stored.

Cookies

Collibra uses cookies for some of its functions:

  • JSESSIONID: This cookie is used to store the ID of the session between the client and the server. This session expires as soon as the browser session ends and is not accessible with scripts.
  • rememberMe: This cookie is used to remember a user on a certain browser. This cookie is only set when a user selects the Remember me option when signing in. It has an expiration time of one year and is not accessible with scripts. In the cloud environment, this cookie is also secure.

When supported and enabled in the browser, the Collibra web interface uses local storage to improve performance.

Sign-in attempts

All the sign-in attempts to Collibra or Collibra Console, whether they are successful or not, are tracked and stored in dgc.log and console.log respectively. Each entry contains the following information:

  • ID of the user
  • Status of the sign-in attempt
  • Source IP address of the sign-in attempt
  • Time of the sign-in attempt
Example 
  • Successful attempt: 
    User logged in: userName='Admin', sessionId='8c7f70e32212294de88f75283a957327', realms=[DGCRealm], timeout=1800000, licenseType=AUTHOR, productPermissions='bsg,rdm,dsm,catalog,helpdesk,policymanager,datadictionary,admin', action=LOGIN, remoteHost='0:0:0:0:0:0:0:1', userAgent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15', timestamp=1648630651804
  • Failed attempt: 
    User failed to log in: userName='Admin', sessionId='7cfec1762c3cd6ae6c38d3fe18078ee7', timeout=1800000, licenseType=CONSUMER, action=LOGIN, remoteHost='0:0:0:0:0:0:0:1', userAgent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15', failureReason=org.apache.shiro.authc.AuthenticationException: Authentication token of type [class org.apache.shiro.authc.UsernamePasswordToken] could not be authenticated by any configured realms., timestamp=1648630616981
  • Sign out: 
    User has explicitly logged out: userName='Admin', sessionId='8c7f70e32212294de88f75283a957327', timeout=1800000, licenseType=AUTHOR, action=LOGOUT, remoteHost='0:0:0:0:0:0:0:1', userAgent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15', timestamp=1648630974198