Security architecture

Collibra Platform is by default a very secure application, but it offers some extra configuration options to make Collibra meet your organization's security level.

For more information about setting the security options, see Security configuration.

Passwords

User passwords are never stored in plain text, nor in encrypted form. Only a salted hash is stored in the database, so that users can be authenticated:

• The salt is constructed with a fixed salt, concatenated with a private salt. The private salt changes constantly and is stored in the database next to the hash.
• The SHA-512 algorithm is used for hashing.
• 10 000 iterations are executed to get an extremely secure hash.

This means that passwords cannot be recovered in any way.

The password specifications are set in Collibra Console. The passwords are encrypted the first time they are read, which is during server start-up.

This way, you can type passwords in plain text, but you also prevent malicious use.

There are no other locations in the product where passwords or other credentials are stored.

PostgreSQL passwords

To better secure the passwords of the PostgreSQL accounts connecting to the PostgreSQL database of the Repository service, we have replaced an older hashing method with scram-sha-256. The new hashing method better protects our databases from brute-force attacks.

Collibra Data Governance Center 5.9.1 and Collibra Platform 2023.05 introduce this hashing method.

For the cloud versions, you don't need to take any action. We automatically apply the new hashing method when we upgrade your environment to 2023.05 or newer.

For the on-premises versions, you don't need to take any action either.
However, if you added any other user than the default ones of a Collibra DGC installation, then you have to change the passwords of those accounts to apply the scram-sha-256 hashing. We automatically apply the new hashing to the 2 default user accounts, collibra and dgc, when you upgrade to 5.9.1 or newer.

Important Note that the new hashing only affects PostgreSQL users, not Collibra users.

Cookies

Collibra uses cookies for some of its functions:

• JSESSIONID: This cookie is used to store the ID of the session between the client and the server. This session expires as soon as the browser session ends and is not accessible with scripts.
• rememberMe: This cookie is used to remember a user on a certain browser. This cookie is only set when a user selects the Remember me option when signing in. It has an expiration time of one year and is not accessible with scripts. In the cloud environment, this cookie is also secure.

When supported and enabled in the browser, the Collibra web interface uses local storage to improve performance.

Sign-in attempts

All the sign-in attempts to Collibra or Collibra Console, whether they are successful or not, are tracked and stored in dgc.log and console.log respectively. Each entry contains the following information:

• ID of the user
• Status of the sign-in attempt
• Source IP address of the sign-in attempt
• Time of the sign-in attempt