Security setup recommendations

<< Click to Display Table of Contents >>

Navigation:  Bizagi Engine > Bizagi system administration > Bizagi server configuration > Bizagi Engine JEE platform configuration >

Security setup recommendations

applies_JEE

 

Overview

When setting up Bizagi Engine in a production environment, there are additional security settings which Bizagi strongly recommends you to implement in every project.

For a Bizagi project running in a JEE platform, these security settings are carried out by adjusting settings related to the server capabilities.

This procedure ensure quality of service due to the inclusion of WS-Security policies.

 

This section illustrates how to harden your operating environment with such security settings.

 

Before you start

Keep in mind that for Bizagi Work portal it is strongly recommended to use an HTTPS over SSL configuration (at your JEE application server).

 

note_pin

When using HTTPS, consider editing the bizagi-config.properties file to include PROTOCOL="HTTPS".

This applies when using case links in process notifications.

 

The following recommendations are meant to provided enhanced security for your server and web services, though these are optional.

When choosing to carry out security hardening regarding X.509 certificates, keep into account that you will need:

Official X.509 certificates (as issued by an appropriate Certification Authority) for encryption purposes.

Such certificates should be valid and already installed.

Note that your platform administrator will require adequate expertise on this subject (certificates, their use and installation).

 

 

Security recommendations

The idea behind these recommendations is to enhance the security of your complete service, by considering these aspects:

 

1.Creation of an Application Policy Set.

2.Creation of a Policy Set binding.

3.Configuration of certificates.

a.Defining trusted certificates.

b.Configuration of the Incoming messages signature.

c.Configuring outgoing messages signature.

d.Configuring incoming messages decryption.

e.Configuring outgoing messages encryption.

4.Attach Policy Set and Assign Bindings to Service Provider.

 

Configuration

Follow these recommendations to implement additional security measures in your Bizagi operating environment.

In the following example, we are using an IBM WebSphere Server.

 

1. Creation of an Application Policy Set

A policy set is a container for policy types related to Security and Reliable Messaging for Web Services. For more information, refer to IBM Knowledge Center.

 

Follow the next steps to create an Application Policy Set:

 

1. Open the Application policy sets option located at the left panel within the Services > Policy sets menu.

 

SecuritySetup01

 

2. Select the Username WSSecurity default link and click the Copy button to make a copy of an Application policy set.

This Policy Set ciphers by default the SOAP body, the signature and username token.

 

SecuritySetup01_A

 

3. Give a new name and description to the copy and click OK.

This will create a copy of a default WS-Security Application Policy Set template.

 

SecuritySetup03_A

 

2. Creation of a Policy Set Binding

Here we will configure the specific data associated to the defined policies for our Web Service.

 

Follow the next steps to bind an Application Policy Set:

 

1. Open the General provider policy set bindings option located at the left panel within the Services > Policy sets menu.

 

SecuritySetup05_A

 

2. Select a Provider template called Provider sample and press the Copy button.

 

SecuritySetup04_A

 

3. Give it a name and description and click the OK button.

 

SecuritySetup06_A

 

 

3. Configuration of certificates

In order to configure WS-Security in your Bizagi Web Services you need to modify the previous configuration copied from templates to add your certificate information.

To advance with this configuration, please make sure you read the following information:

Bear in mind that in this point you must have an official X.509 certificate (as issued by an appropriate Certification Authority) for encryption purposes.

Such certificates should be valid and already installed.

For exemplification purposes, a key store has been generated called serverKeys.jks in the server side, which includes the private and public key of the server and the public key of the client.

The key store must be located in the ${USER_INSTALL_ROOT}\config\cells\<yourCellName>\ route.

 

note_pin

For development and testing environments self-signed certificates can be generated.

This procedure can be done through third party software and, therefore, it is responsibility of the client how to generate them.

For testing purposes, JEE has a library called Keytool. Some documentation is provided in case you want to generate a self-signed certificate. Due to the fact this is a third party software, it is responsibility of the client how to generate them.

For production environments, it is strongly recommended to use an official X.509 certificate (as issued by an appropriate Certification Authority).

 

3.a. Defining trusted certificates

1. From the console, select the created configuration in the General provider policy set bindings option located at the left panel within the Services > Policy sets menu.

 

SecuritySetup08_A

 

2. Select the option WS-Security > Keys and certificates, and within the Trust anchor section, create a new Trust anchor by selecting the New button.

 

SecuritySetup09_A

 

3. Provide your key store information. It must be located at: ${USER_INSTALL_ROOT}\config\cells\<yourCellName>\ServerKeys.jks.

 

SecuritySetup10_A

 

3.b. Configuration of the incoming messages signature

To properly guarantee that the used key is trustworthy, you must configure the signature of the inbound messages. In this point an official X.509 certificate must be installed and properly configured. Otherwise, please read how to define trusted certificates.

Please, follow the steps specified below to properly configure the incoming messages signature:

 

1. From the console, select the created configuration in the General provider policy set bindings option located at the left panel within the Services > Policy sets menu.

 

SecuritySetup05_A

 

2. Select in WS-Security > Authentication and Protection menu.

 

SecuritySetup11_A

 

3. Within the Protection tokens section, select the con_signx509token. Then open the Callback handler link.

 

SecuritySetup12_A

 

4. Choose the following options in the drop down lists:

Certificate store:                (none)

Trusted anchor store:                ServerTrustStore

 

Then click OK.

 

SecuritySetup13_A

 

3.c. Configuring outgoing messages signature

To correctly sign outbound messages follow these steps:

 

1. From the console, select the created configuration in the General provider policy set bindings option located at the left panel within the Services > Policy sets menu.

 

SecuritySetup05_A

 

2. Select in WS-Security > Authentication and Protection menu.

 

SecuritySetup11_A

 

3. Within the Protection tokens section, select the gen_signx509token. Then open the Callback handler link.

 

SecuritySetup14_A

 

4. Within the Keystore section, select Custom from the drop down list and click the Custom keystore configuration.

 

SecuritySetup15_A

 

5. Here you must provide the used keys data:

Keystore:        Keystore data.

Key:                Server public key data.

 

SecuritySetup16_A

 

Then, click OK.

 

3.d. Configuring incoming messages decryption

Follow the next steps to configure how to specify the decryption of inbound messages:

 

1. From the console, select the created configuration in the General provider policy set bindings option located at the left panel within the Services > Policy sets menu.

 

SecuritySetup05_A

 

2. Select in WS-Security > Authentication and Protection menu.

 

SecuritySetup11_A

 

3. Within the Protection tokens section, select the con_encx509token. Then open the Callback handler link.

 

SecuritySetup17_A

 

4. Within the Keystore section, select Custom from the drop down list and click the Custom keystore configuration.

 

SecuritySetup18_A

 

5. Here you must provide the used keys data:

Keystore:        Keystore data.

Key:                Server private key data.

 

SecuritySetup20_A

 

Then, click OK.

 

3.e. Configuring outgoing messages encryption

Follow the next steps to configure how to specify the outbound messages encryption:

 

1. From the console, select the created configuration in the General provider policy set bindings option located at the left panel within the Services > Policy sets menu.

 

SecuritySetup05_A

 

2. Select in WS-Security > Authentication and Protection menu.

 

SecuritySetup11_A

 

3. Within the Protection tokens section, select the gen_encx509token. Then open the Callback handler link.

 

SecuritySetup19_A

 

4. Within the Keystore section, select Custom from the drop down list and click the Custom keystore configuration.

 

SecuritySetup21_A

 

Here you must provide the used keys data:

Keystore:        Keystore data.

Key:                Client public key data.

 

SecuritySetup22_A

 

Then, press OK.

 

4. Creation of a Policy Set Binding

Once the Application Policy Set and the Policy Set Binding has been created, you must decide which web service this configuration will apply for.

Follow these steps to configure a web service with the configurations done beforehand.

 

1. Open the Service providers option located at the left panel within the Services menu.

 

SecuritySetup19

2. Select a resource that you want to make secure. For this example purposes select the resource EntityManagerSOAImplService.

 

SecuritySetup20

 

3. Add the Application Policy Set and the Policy Set Binding previously created in steps 1 and 2.

 

SecuritySetup24_A

 

Now, the security setup is completed, test your Web service using the necessary credentials.

 

note_pin

Bizagi SOA Layer is tied to SOAP 1.0 and 1.1, so any security method using these standards can be configured from a server that can protect providers.