Configure Runtime Security
Overview
A Runtime, installed with the default configuration, can be accessed by any user, to perform operations such as listing or starting sessions.
You can enhance the security of the Runtime using the engineParameters.xml
configuration file:
-
Secure Communications with TLS, for RMI, HTTP and REST/SOAP.
-
Configure Authenticated Access with roles and permissions.
A basic secured configuration sample is given below.
<parameters>
<...>
<engineParameters>
<...>
<!-- Secure RMI, HTTP, and Web Services endpoints with TLS -->
<parameter name="rmiEnableTls" value="true"/>
<...>
<parameter name="webServiceSecureProtocol" value="TLSv1.1"/>
<parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
<parameter name="webServiceKeyStoreType" value="JKS"/>
<parameter name="webServiceKeyStorePassword" value="keystore_password"/>
<parameter name="webServiceKeyAlias" value="key_alias"/>
<parameter name="webServiceKeyPassword" value="key_password"/>
<...>
</engineParameters>
<...>
<security>
<!-- At least one user (even anonymous) should be defined -->
<!-- Anonymous access with limited permissions -->
<user anonymous="true" roles="Connect View"/>
<!-- Authenticated access for advanced permissions -->
<user name="admin" uncryptedPassword="admin" roles="Admin"/>
<user name="developer" uncryptedPassword="developer" roles="Connect View Execute"/>
<user name="consult" uncryptedPassword="consult" roles="Connect View"/>
<!-- Access restriction by IP address -->
<allow address="192.168.0.42"/>
</security>
<...>
</parameters>
Secure Communications with TLS
Configure the Runtime
To enable TLS for RMI, HTTP, and Web services endpoints, you have to define the following parameters:
<parameters>
<...>
<engineParameters>
<...>
<parameter name="rmiEnableTls" value="true"/>
<...>
<parameter name="webServiceSecureProtocol" value="TLSv1.1"/>
<parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
<parameter name="webServiceKeyStoreType" value="JKS"/>
<parameter name="webServiceKeyStorePassword" value="keystore_password"/>
<parameter name="webServiceKeyAlias" value="key_alias"/>
<parameter name="webServiceKeyPassword" value="key_password"/>
<...>
</engineParameters>
<...>
</parameters>
Note that defining the keystore and certificate details is mandatory if you want to enable TLS. |
The following parameters are available to secure the communications:
Parameter | Description |
---|---|
|
Set to true to secure the RMI protocol with TLS. |
|
Protocol to be used to secure the endpoints. For example, TLSv1.1. |
|
Path to the Java keystore containing the certificate used to secure the endpoints. |
|
Java keystore type, such as |
|
Password of the keystore file. |
|
Alias of the key in the keystore. |
|
Password of the key. |
Configure the Clients
When the Runtime endpoints are secure with TLS, clients such as Designer, Analytics, or command line scripts will need to use the certificate for their communications with the Runtime.
If you are using certificates provided from an official authority, this will most of the time work without having to configure the certificate on the clients.
If you are using self-signed certificates, you will have to configure the clients to know this certificate.
Configure Authenticated Access
Configure Users
You can define the users that can connect to the Runtime and their permissions.
The syntax is the following:
<parameters>
<...>
<security>
<...>
<user anonymous="true" roles="Connect View"/>
<user name="user01" password="xxxxxx" uncryptedPassword="password" roles="Connect View Execute"/>
<user name="user02" password="xxxxxx" uncryptedPassword="password" roles="Connect View Execute"/>
<...>
</security>
<...>
</parameters>
The following parameters are available to define users.
Parameter | Description |
---|---|
|
User name, that will be used as the login credential |
|
Encrypted password of the user. |
|
Uncrypted (plain text) password of the user. |
|
Space-separated list of roles for the user. The possible roles are:
|
|
The Anonymous User
An anonymous user can be set, to specify the permissions of the users that connect to the Runtime without specifying credentials, as shown below.
<user anonymous="true" roles="Connect View"/>
When the anonymous user is set, it is therefore not mandatory to specify credentials when connecting. A user connecting with no credentials will have the permissions of the anonymous user.
When the anonymous user is not set, credentials are required to connect and anonymous connections are rejected.
Note that only one anonymous user can be set at a time.
The security node must contain at least one user, which can be a normal or anonymous user. |
Restrict Access by Hostname/IP Address
You can define the machines allowed to connect to the runtime by their hostname and IP address.
The syntax is the following:
<parameters>
<...>
<security>
<...>
<allow address="Hostname or IP Address"/>
<allow address="Hostname or IP Address"/>
<...>
</security>
<...>
</parameters>