In FileNet® P8 environments the Content Platform Engine server assumes that a user's short name passed to it by means of an IIOP request from Application Engine, Workplace XT, or an associated custom application has been properly authenticated and can be trusted.
WebSphere® Application Server and Oracle WebLogic Suite have mechanisms such as Lightweight Third-Party Authentication (LTPA) keys to secure IIOP communications, which establishes this sort of trust relationship between Java™ Virtual Machines (JVMs). However, because JBoss Application Server has no such feature to prevent unauthenticated access, a security risk is exposed between the Content Platform Engine JVM and the calling application's JVM.
To mitigate the risk of passing unauthenticated user short names to Content Platform Engine server under JBoss Application Server, place a firewall on the Content Platform Engine server to allow only trusted JVMs associated with Application Engine, Workplace XT, or custom applications to connect to the Content Platform Engine JVM IIOP port.