Configure Runtime Security

Overview

A Runtime, installed with the default configuration, can be accessed by any user, to perform operations such as listing or starting sessions.

You can enhance the security of the Runtime using the engineParameters.xml configuration file:

Secure Communications with TLS, for RMI, HTTP and REST/SOAP.
Configure Authenticated Access with roles and permissions.
Restrict Access by Hostname/IP Address

A basic secured configuration sample is given below.

<parameters>
<...>
  <engineParameters>
  <...>
   <!-- Secure RMI, HTTP, and Web Services endpoints with TLS -->
   <parameter name="rmiEnableTls" value="true"/>
   <...>
   <parameter name="webServiceSecureProtocol" value="TLSv1.1"/>
   <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
   <parameter name="webServiceKeyStoreType" value="JKS"/>
   <parameter name="webServiceKeyStorePassword" value="keystore_password"/>
   <parameter name="webServiceKeyAlias" value="key_alias"/>
   <parameter name="webServiceKeyPassword" value="key_password"/>
   <...>
  </engineParameters>
  <...>
  <security>
   <!-- At least one user (even anonymous) should be defined -->
   <!-- Anonymous access with limited permissions -->
   <user anonymous="true" roles="Connect View"/>
   <!-- Authenticated access for advanced permissions -->
   <user name="admin"  uncryptedPassword="admin" roles="Admin"/>
   <user name="developer"  uncryptedPassword="developer" roles="Connect View Execute"/>
   <user name="consult"  uncryptedPassword="consult" roles="Connect View"/>
   <!-- Access restriction by IP address -->
   <allow address="192.168.0.42"/>
  </security>
<...>
</parameters>

Secure Communications with TLS

Configure the Runtime

To enable TLS for RMI, HTTP, and Web services endpoints, you have to define the following parameters:

<parameters>
<...>
  <engineParameters>
   <...>
   <parameter name="rmiEnableTls" value="true"/>
   <...>
   <parameter name="webServiceSecureProtocol" value="TLSv1.1"/>
   <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
   <parameter name="webServiceKeyStoreType" value="JKS"/>
   <parameter name="webServiceKeyStorePassword" value="keystore_password"/>
   <parameter name="webServiceKeyAlias" value="key_alias"/>
   <parameter name="webServiceKeyPassword" value="key_password"/>
   <...>
  </engineParameters>
<...>
</parameters>

Note that defining the keystore and certificate details is mandatory if you want to enable TLS.
They are used to secure all the different protocols: RMI, HTTP, and Web Services endpoints.
Once they are defined, they automatically secure RMI (if RMIS is enabled), HTTP and web services.

The following parameters are available to secure the communications:

Parameter Description

Parameter	Description
`rmiEnableTls`	Set to true to secure the RMI protocol with TLS.
`webServiceSecureProtocol`	Protocol to be used to secure the endpoints. For example, TLSv1.1.
`webServiceKeyStoreFile`	Path to the Java keystore containing the certificate used to secure the endpoints.
`webServiceKeyStoreType`	Java keystore type, such as `JKS`.
`webServiceKeyStorePassword`	Password of the keystore file.
`webServiceKeyAlias`	Alias of the key in the keystore.
`webServiceKeyPassword`	Password of the key.

rmiEnableTls

Set to true to secure the RMI protocol with TLS.

webServiceSecureProtocol

Protocol to be used to secure the endpoints. For example, TLSv1.1.

webServiceKeyStoreFile

Path to the Java keystore containing the certificate used to secure the endpoints.

webServiceKeyStoreType

Java keystore type, such as JKS.

webServiceKeyStorePassword

Password of the keystore file.

webServiceKeyAlias

Alias of the key in the keystore.

webServiceKeyPassword

Password of the key.

Configure the Clients

When the Runtime endpoints are secure with TLS, clients such as Designer, Analytics, or command line scripts will need to use the certificate for their communications with the Runtime.

If you are using certificates provided from an official authority, this will most of the time work without having to configure the certificate on the clients.

If you are using self-signed certificates, you will have to configure the clients to know this certificate.

Configure Authenticated Access

Configure Users

You can define the users that can connect to the Runtime and their permissions.

The syntax is the following:

<parameters>
<...>
  <security>
   <...>
   <user anonymous="true" roles="Connect View"/>
   <user name="user01"  password="xxxxxx" uncryptedPassword="password" roles="Connect View Execute"/>
   <user name="user02"  password="xxxxxx" uncryptedPassword="password" roles="Connect View Execute"/>
   <...>
  </security>
<...>
</parameters>

The following parameters are available to define users.

Parameter Description

Parameter	Description
`name`	User name, that will be used as the login credential
`password`	Encrypted password of the user.
`uncryptedPassword`	Uncrypted (plain text) password of the user.
`roles`	Space-separated list of roles for the user. The possible roles are: `Connect`: The user can connect to the Runtime (required) `View`: The user can list and view all the sessions of the Runtime `Execute`: The user can execute deliveries on the Runtime `Admin`: The user has the full permissions on the Runtime. This is required for operations such as purging the sessions or scheduling deliveries.

name

User name, that will be used as the login credential

password

Encrypted password of the user.

uncryptedPassword

Uncrypted (plain text) password of the user.

roles

Space-separated list of roles for the user. The possible roles are:

Connect: The user can connect to the Runtime (required)
View: The user can list and view all the sessions of the Runtime
Execute: The user can execute deliveries on the Runtime
Admin: The user has the full permissions on the Runtime. This is required for operations such as purging the sessions or scheduling deliveries.

Passwords are encrypted using the encrypt <password> command on the Runtime engine console (engine command line tool).
Only one of the password or uncryptedPassword should be set
Multiple roles can be assigned to one user, separated with space characters

The Anonymous User

An anonymous user can be set, to specify the permissions of the users that connect to the Runtime without specifying credentials, as shown below.

<user anonymous="true" roles="Connect View"/>

When the anonymous user is set, it is therefore not mandatory to specify credentials when connecting. A user connecting with no credentials will have the permissions of the anonymous user.

When the anonymous user is not set, credentials are required to connect and anonymous connections are rejected.

Note that only one anonymous user can be set at a time.

The security node must contain at least one user, which can be a normal or anonymous user.

Restrict Access by Hostname/IP Address

You can define the machines allowed to connect to the runtime by their hostname and IP address.

The syntax is the following:

<parameters>
  <...>
  <security>
   <...>
   <allow address="Hostname or IP Address"/>
   <allow address="Hostname or IP Address"/>
   <...>
  </security>
  <...>
</parameters>