Securing Access to AWI
The connection between the Automation Engine (the JCP) and AWI is secured through TLS/SSL. To secure the communication between AWI and the application server you can also use TLS/SSL. TLS/SSL allows web browsers and REST API clients to communicate over a secured connection because data is encrypted. By enforcing authentication, TLS/SSL also ensures that the site origin is what it claims to be.
Important! Although enabling TLS/SSL for the communication between AWI and the application server is optional, we strongly recommend that you enable it.
This topic provides a set of best practices. For details about how to secure the communication between AWI and the Automation Engine, and between AWI and the application server, see:
-
uc4config.xml - Configuring the Connection Between AWI and AE
-
(AWI and the application server) Securing Access to AWI via TLS/SSL
Best Practices
Usually, the default installation comes with common security principles already in place. This set of best practices help you improve them:
-
Do not run the application server as a privileged user (root on UNIX or Administrator or Local System on Windows).
-
The application server should never expose running software and its version number.
-
Deploy applications only on the server that are required (i.e. no example applications).
-
Secure the administration panel using a strong password.
-
Restrict the file permissions of the application server.
-
Enable HTTPS - TLS/SSL and use it instead of plain HTTP
-
Plugins and backend services
-
If you are using plugins that implement HTTPS to establish a secure communication with the backend services, make sure that the AWI instance or the JVM you are using are configured to trust the certificates installed on the backend services
-
Use the certificates issued by a Certificate Authority that the JVM trusts by default
-
If you need to use self-signed certificates, configure the AWI instance or JVM to trust the certificates by adding them to one of the following truststores
-
Default JVM truststore
-
A different truststore
Configure the AWI instance to use a different truststore.
-
-
See also: