Configure Runtime Security

Overview

A Runtime, installed with the default configuration, only listens to localhost and requires logging in with a user defined in the configuration file to perform operations such as listing or starting sessions.

You can enhance and customize the security of the Runtime using the engineParameters.xml configuration file:

Secure Communications with TLS for HTTP (REST and SOAP) endpoints.
Configure Authenticated Access with roles and permissions.
Restrict Access by Hostname/IP Address.

A basic secured configuration sample is given below.

<parameters>
<...>
  <engineParameters>
  <...>
   <parameter name="webServiceSecureProtocol" value="TLSv1.1"/>(1)
   <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
   <parameter name="webServiceKeyStoreType" value="JKS"/>
   <parameter name="webServiceKeyStorePassword" value="keystore_password"/>
   <parameter name="webServiceKeyAlias" value="key_alias"/>
   <parameter name="webServiceKeyPassword" value="key_password"/>
   <...>
  </engineParameters>
  <...>
  <security> (2)
   <user name="admin"  uncryptedPassword="admin-password" roles="Admin"/> (3)
   <user name="developer"  uncryptedPassword="developer-password" roles="Connect View Execute"/> (3)
   <user name="api-user"  uncryptedPassword="api-user-password" roles="Connect ExecuteAPI"/> (3)
   <user name="viewer"  uncryptedPassword="viewer-password" roles="Connect View"/> (3)
   <allow address="192.168.0.42"/> (4)
   <allow address="192.168.0.43"/> (4)
  </security>
<...>
</parameters>

1	Secure HTTP (REST and SOAP) endpoints with TLS.
2	Secure access with users, roles, and network restrictions. The security configuration is mandatory.
3	User definition, with associated roles. It is mandatory to define at least one user.
4	Optional network access restriction by IP or hostname address.

Secure Communications with TLS

Configure the Runtime

To enable TLS for HTTP (REST and SOAP) endpoints, you have to define the following parameters:

<parameters>
<...>
  <engineParameters>
   <...>
   <parameter name="webServiceSecureProtocol" value="TLSv1.1"/>
   <parameter name="webServiceKeyStoreFile" value="D:/keystore/mykeystore.jks"/>
   <parameter name="webServiceKeyStoreType" value="JKS"/>
   <parameter name="webServiceKeyStorePassword" value="keystore_password"/>
   <parameter name="webServiceKeyAlias" value="key_alias"/>
   <parameter name="webServiceKeyPassword" value="key_password"/>
   <...>
  </engineParameters>
<...>
</parameters>

The keystore and certificate details are mandatory if you enable TLS. They are used to secure all the HTTP endpoints (REST and SOAP).

Table 1. Communication Security Parameters
Parameter	Default value	Description
`webServiceSecureProtocol`		Protocol to be used to secure the endpoints. For example, TLSv1.1.
`webServiceKeyStoreFile`		Path to the Java keystore containing the certificate used to secure the endpoints.
`webServiceKeyStoreType`		Java keystore type, such as `JKS`.
`webServiceKeyStorePassword`		Password of the keystore file.
`webServiceKeyAlias`		Alias of the key in the keystore.
`webServiceKeyPassword`		Password of the key.
`enableAccessRestrictionOverHTTP`	false	By default, Runtime Access Restriction can be modified only when the Runtime is secured with HTTPS. Define this parameter to `true` if you want to remove this security policy and change the access restriction configuration even though you are with HTTP. We recommend enabling this with caution, only if you are certain that no attacker can intercept the network traffic in your environment. By default, this parameter is defined to `false` for security purposes, because with HTTP the network messages are unsecured and the restriction can be bypassed by attackers. See Runtime Access Restriction.

Configure the Clients

When the Runtime endpoints are secured with TLS and a certificate, clients such as Designer, Analytics, or command line scripts use that certificate to communicate with the Runtime.

The clients that connect to the Runtime must therefore:

Use the HTTPS protocol:
- When connecting to the runtime, make sure to use HTTPS instead of HTTP in all URLs. As an example, see Runtime Connect Command and Runtime Configuration in Analytics.
Provide the certificate to the client, if necessary:
- If you use a certificate signed by an authority, you do not need to provide it to the clients.
- If you use a self-signed certificate, you must provide it to the clients, because Java refuses connections with a self-signed certificate by default, for security purposes. For this, add the certificate to the Trustore of the JVM used by the clients.

Configure Authenticated Access

Summary

You must define users and their associated roles that will be used to connect to the Runtime.

At least one user must be defined in the Runtime configuration file. The Runtime will not start if there is no security element or no user defined in the configuration.

Standard Users

Users are defined as shown below:

Example 1. User Configuration

<parameters>
<...>
  <security>
   <...>
   <user name="user01"  password="xxxxxx" uncryptedPassword="password" roles="Connect View Execute"/>
   <user name="user02"  password="xxxxxx" uncryptedPassword="password" roles="Connect View Execute ExecuteAPI"/>
   <...>
  </security>
<...>
</parameters>

Table 2. User Configuration Properties
Parameter	Description
`name`	User name, that will be used as the login credential.
`password`	Encrypted password of the user.
`uncryptedPassword`	Unencrypted (plain text) password of the user.
`roles`	Space-separated list of roles for the user. The possible roles are: `Connect`: The user can connect to the Runtime (required) `View`: The user can list and view all the sessions of the Runtime `Execute`: The user can execute deliveries on the Runtime with standalone clients (Semarchy xDI Designer, Semarchy xDI Production Analytics, or command-line.). `ExecuteAPI`: The user can execute deliveries on the Runtime through the API endpoints (REST and SOAP). `Admin`: The user has the full permissions on the Runtime. This is required for operations such as purging the sessions or scheduling deliveries.

Passwords are encrypted using the encrypt <password> command on the Runtime engine console (engine command line tool).
Only one of the password or uncryptedPassword properties should be set.
Multiple roles can be assigned to one user, separated by space characters

Anonymous User

You can define an anonymous user to give access to the Runtime without authentication, with default roles. This is optional, and only one anonymous user can be defined.

When the anonymous user is defined, the Runtime can be accessed with no authentication, and the tasks associated with the defined roles can be performed.

Example 2. Anonymous User Configuration

<parameters>
<...>
  <security>
   <...>
   <user anonymous="true" roles="Connect View"/>
   <...>
  </security>
<...>
</parameters>

Table 3. Anonymous User Configuration Properties
Parameter	Description
`anonymous`	Defines that this user is the anonymous user. Must be set to `true`.
`roles`	Space-separated list of roles for the user. The possible roles are: `Connect`: The user can connect to the Runtime (required) `View`: The user can list and view all the sessions of the Runtime `Execute`: The user can execute deliveries on the Runtime `Admin`: The user has the full permissions on the Runtime. This is required for operations such as purging the sessions or scheduling deliveries.

You can define both an anonymous user with limited privileges and authenticated users with more privileges.

Restrict Access by Hostname/IP Address

You can define the machines allowed to connect to the runtime by their hostname and IP address.

The default configuration file allows connecting from the local machine only. You can define additional allow nodes to authorize multiple machines, or disable access restriction by removing all the allow nodes.

By default, the access restriction can be modified only when the Runtime is secured with HTTPS.

If the Runtime is configured with HTTP, the access restriction is limited to localhost only and cannot be changed for security purposes, because with HTTP the network messages are unsecured and the restriction can be bypassed by attackers. If necessary, this security policy can be removed by the enableAccessRestrictionOverHTTP parameter. See Configure the Runtime.

Example 3. Hostname/IP Address Configuration

<parameters>
  <...>
  <security>
   <...>
   <allow address="localhost"/> (1)
   <allow address="192.168.0.42"/> (2)
   <allow address="192.168.0.0/16"/> (3)
   <allow address="Hostname, IP Address or Subnet Mask"/>
   <...>
  </security>
  <...>
</parameters>

1	Allows the specified Hostname to access the Runtime.
2	Allows the specified IP Address to access the Runtime.
3	Allows any address of the specified Subnet Mask to access the Runtime.

Example 4. Disabled Hostname/IP Address Configuration

<parameters>
  <...>
  <security>
   <...>
  </security>
  <...>
</parameters>

You can also configure access restriction in an external file, referenced by a single tag in the engineParameters.xml configuration file. The path to this file is relative to the engineParameters.xml location.

Example 5. Hostname/IP Address configuration file reference

<!-- Security Configuration (users and IP/Hostname Filtering) -->
<security  file="./security-access.xml"/>

Example 6. Sample Hostname/IP address restriction configuration file (security-access.xml)

<security>
  <...>
  <allow address="localhost"/>
  <allow address="192.168.0.42"/>
  <allow address="Hostname or IP Address"/>
<security>