Securing Access to AWI

The connection between the Automation Engine (the JCP) and AWI is secured through TLS/SSL. To secure the communication between AWI and the application server you can also use TLS/SSL. TLS/SSL allows web browsers and REST API clients to communicate over a secured connection because data is encrypted. By enforcing authentication, TLS/SSL also ensures that the site origin is what it claims to be.

Important! Although enabling TLS/SSL for the communication between AWI and the application server is optional, we strongly recommend that you enable it.

This topic provides a set of best practices. For details about how to secure the communication between AWI and the Automation Engine, and between AWI and the application server, see:

• uc4config.xml - Configuring the Connection Between AWI and AE

• (AWI and the application server) Securing Access to AWI via TLS/SSL

Best Practices

Usually, the default installation comes with common security principles already in place. This set of best practices help you improve them:

• Do not run the application server as a privileged user (root on UNIX or Administrator or Local System on Windows).

• The application server should never expose running software and its version number.

• Deploy applications only on the server that are required (i.e. no example applications).

• Secure the administration panel using a strong password. 

• Restrict the file permissions of the application server.

• Enable HTTPS - TLS/SSL and use it instead of plain HTTP

• Plugins and backend services

  • If you are using plugins that implement HTTPS to establish a secure communication with the backend services, make sure that the AWI instance or the JVM you are using are configured to trust the certificates installed on the backend services

  • Use the certificates issued by a Certificate Authority that the JVM trusts by default

  • If you need to use self-signed certificates, configure the AWI instance or JVM to trust the certificates by adding them to one of the following truststores

    • Default JVM truststore

    • A different truststore

      Configure the AWI instance to use a different truststore.

See also:

• Security and System Hardening

• TLS/SSL Communication and Encryption