Securing Services - Overview
The following section gives an overview of how to implement security for services. Individual steps are treated in more detail in the subsequent sections.
Setting up a Protected Service
To set up security for a particular service, it is necessary to create a protected service (enforcement point). This is done using the Administrator website. For additional information, see Administration of protected services.
Blocking Direct Access
After a WSS has been set up to provide secure access to a service, it does not necessarily mean that the original URL of the service has been blocked. There are several ways of protecting a service:
-
By installing the service on a separate web server which runs on a server without direct internet access, while the WSS runs on a server with internet access and with simultaneous access to the internal services server.
-
By installing the service on a separate web server which runs on the same computer as the WSS with internet access, but using its own port. This port is blocked from accessing the internet by implementing the appropriate network or firewall settings.
-
By configuring restricted access using the standard tools available on the respective web server. To do this, it is important to ensure that the WSS has unrestricted access to the protected service at all times, while all other processes and users (in particular in the internet) have no access.
-
Protecting against Direct Access in the Appendix of this document, contains specific instructions on how to implement security when using Microsoft Internet Information Services (IIS) or Apache Tomcat.
Setting up Users and Roles
The setting up of new users and roles for a secured service is optional, as existing users can be used. For further details on how to use the Administrator, see User administration.
Setting up Rights
The Administrator web application is used for setting up rights. A new policy set is created for the secured service in the Policy Management area. The resource to be entered is the URL of the service to be secured. For further details on how to use the Administrator, see Administration of rights.
Access via Gateway
The Gateway feature is deprecated and will be removed in future. |
The Gateway is set up in its own Tomcat context during installation.
To gain access, open a browser window and enter the address of the Gateway, for example https://<SERVER>/gateway
.
Then enter the following values in the ensuing dialog:
-
WSS-URL: URL of the WSS that is protecting the service, for which the gateway is to be created, for example
https://<SERVER>/wss/service/brd_wms/WSS
-
Username and password: enter the name of an account for which a role has been assigned and for which access policies have been entered in the policy manager for these services.
If the login is successful, the Gateway sets up temporary access specific to the account, for the secured service. The resulting gateway URL can be entered in any compatible client (for example Esri ArcMap for a secure WMS). For security reasons, the temporary access can be restricted to the externally visible IP address of the computer that invoked the dialog with which the gateway was created.
The Gateway is also available to all users with the role sM_Administrator in the Gates tab of the security.manager administration interface. Both temporary and persistent gates can be configured.