Search

Security Considerations

Version 23.0.9145

Security Considerations

This section discusses the following security measures that you need to consider when you install and configure CData API Server:

  • SSL/TLS protocol

  • secure passwords

  • web-server process privileges

  • firewall options

SSL/TLS Protocol

Note: As a best practice, you should enable SSL/TLS on your server.

The SSL/TLS protocol encrypts communication channels between a client and server. This protocol protects the confidentiality, authenticity, and integrity of data via public-key/private-key cryptography. In addition, through the use of digital certificates, TLS offers facilities for client-server identity confirmation.

To enable SSL/TLS on your server, choose the instructions below that match your environment.

.NET Edition

If you use the standalone server, see Embedded Server. If you use Microsoft Internet Information Services (IIS), see Configuration in IIS.

Cross-Platform Edition

For instructions about how to enable SSL/TLS, see the documentation for the Java servlet that you use to host API Server.

Secure Passwords

For best practices for storing passwords in a secure manner, see your web server’s documentation. Most web servers have the option to store a password hash versus the actual password, which is a more secure option when you store passwords.

The embedded web server stores the password in plaintext in the web.config file, which resides in the www folder. For details about how to change this file to store your password hash instead, see the ASP.NET documentation.

Process Privileges

For best practices about the user and roles under which the web-server process should run, see your web server’s documentation.

The embedded web server needs administrative privileges to configure TLS certificates for securely encrypting connections. You can change the user account under which the server runs by configuring it to run as a service and then changing the user account under which that service runs. Alternatively, you can host the application in IIS and run the server under any account.

Firewall

If you need your application to be accessible from outside of your network, you can use any of the following firewall options:

  • Verify with your network administrator that you have a firewall in place that allows traffic to access the machine in a secure fashion.

  • Deploy API Server in your demilitarized zone (DMZ) and ensure that your firewall is open between API Server and your data.

  • Use the cloud gateway to create a reverse proxy in the DMZ, ensuring that no firewall rules are changed.

Whichever option you choose, you might want to restrict access to specific IP addresses or configure other filters in your firewall to limit access to the server.