Security Considerations

Version 22.0.8500


Security Considerations

Version 22.0.8500


This section discusses security measures to consider when installing and configuring the API Server.

SSL/TLS

Note: It is strongly recommended that you enable SSL/TLS on your server.

SSL/TLS encrypts communication channels between a client and server. This protocol protects the confidentiality, authenticity, and integrity of data via public-key/private-key cryptography. In addition, through the use of digital certificates, TLS offers facilities for client/server identity confirmation.

To enable TLS on your server, choose the instructions below that match your environment.

Windows

If you are using the stand-alone server, see Embedded Server. If you are using IIS, see Configuration in IIS.

Java

Refer to the documentation for the Java servlet you are using to host the API Server for instructions on how to enable TLS.

Secure Passwords

Refer to your web server’s documentation for the best practices for storing passwords in a secure manner. Most web servers have the option to store a password hash as opposed to the password itself, which is a more secure option when storing passwords.

The embedded web server stores the password in plaintext in the web.config file inside the www folder. Refer to ASP.NET’s documentation for information on changing this to store the user’s password hash instead.

Process Privileges

Refer to your web server’s documentation for best practices for what user and roles the web server process should run under.

The embedded web server needs administrative privileges to configure TLS certificates for securely encrypting connections. You can change the user account it runs under by configuring it to run as a service and changing the user account that the service runs under. Alternatively, you can host the application in IIS and run the server under any account.

Firewall

If your application needs to be accessible from outside of your network, the following options are available for you:

  • Talk with your network administrator to ensure you have a firewall in place that allows traffic to access the machine in a secure fashion.
  • Deploy the API Server in your demilitarized zone (DMZ) and ensure that your firewall is open between the API Server and your data.
  • Use the Cloud Gateway feature to create a reverse proxy in the DMZ, ensuring that no firewall rules are changed. Whichever option you choose, you may want to restrict access to specific IP addresses or configure other filters in your firewall to limit access to the server.