Security Concept for AWI

The following outlines some basic techniques to secure AWI and the application server that runs it.

Hardening the Application Server Configuration

The application server is one of the most important components that influences the security of AWI. There are several aspects that should be considered when running AWI on an application server instance.

Usually a default installation comes with common security principles already in place.
You can follow additional steps to improve the overall security.

Common best practices when running any application server:

• The application server should never be run as a privileged user (root on UNIX or Administrator or Local System on Windows).
• The application server should never expose running software and its version number.
• One should only deploy applications on the server that are required (i.e. no example applications).
• The administration panel should be secured by a reasonably secure password. 
• The file permissions of the application server should be restricted.
• HTTPS/SSL should be enabled and used instead of plain HTTP. 

 For further information, documentation and assistance please consult the vendor of the application server:

• Apache Tomcat 8.0 Security How-to https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
• Apache Tomcat Security FAQ http://wiki.apache.org/tomcat/FAQ/Security
• Oracle WebLogic Server https://docs.oracle.com/cd/E24329_01/web.1211/e24418/toc.htm
• IBM WebSphere Application Server https://www.ibm.com/developerworks/websphere/zones/was/security/#hardening

Setting up HTTPS/SSL

SSL

Secure Socket Layer (SSL) is a technology that allows web browsers and REST API clients to communicate over a secured connection.

That data being sent is encrypted by one side, transmitted and then decrypted by the other side before processing.
It is a two-way process so both endpoints (AWI and the browser) encrypt all traffic before sending out data. This is especially important if sensitive data is transmitted (for example passwords, API key, authentication token, customer data, etc.). 

SSL Authentication

Another important aspect of SSL is authentication.

During the initial connection attempt of the browser the server will present a certificate that proves the site's origin. This prevents attackers to claim the identity of the web server.

This is especially important, if AWI is exposed outside the intranet. 

Depending on your policy and application server, different steps are necessary.
For the SSL configuration you need to obtain an identity (digital certificates and private key).
AWI supports both self-signed as well as signed certificates from a trusted CA. 

Further information on the SSL web server configuration setup you find in Securing Communication via SSL

SSL/TLS Configuration 

Depending on your application server various steps are required in order to setup an SSL connection.

For details refer to Securing Communication via SSL

The vendors provide comprehensive step-by-step guides: 

• Apache Tomcat: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
• Oracle WebLogic Server: http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG389
• IBM WebSphere Application Server: http://www.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/appcenter/t_ac_ssl_was_full.html