Corticon security best practices

Posted by Lauri Greenbaum on 23-Jan-2017 05:00

Hi,

Last year Estonia got its first Corticon instance and I was part of the project as technical consultant. We did the POC and it worked well and client got what he wanted. Now the client sent me lots of questions, but since it was my first POC and I have not had the experience, to talk about best practices, I have come here to use the whole community knowledge in answering the questions.

I do not want to overwhelm, so I will ask one by one:), so the first question is about security best practices

How to set up security in Corticon, currently anyone can deploy without password and get data from Progress without password. So what is the best practice in securing deploying and securing sending data from OE to Corticon and back.

Lauri

All Replies

Posted by Gertjan Hendriks on 23-Jan-2017 05:09

Hi Laurie,

What version of Corticon did you implement at your customer?

Currently only version 5.6 provides authentication-options for accessing the decision services:

documentation.progress.com/.../

User authentication for deployment can be found in the CcConfig.jar of Corticon Server. Open the jar by using WinZIP, 7ZIP or WinRAR and edit the file where the usernames and passwords are stored:

CcUsernamePassword.xml

As far as I know, only user level admin is used in Corticon (please correct me if I'm wrong on this)

-Gertjan

Posted by Lauri Greenbaum on 23-Jan-2017 08:44

Progress® Corticon® Server & Studio 5.6 is in the licence:)

Thank you for the answer.

Do I understand correctly, that before 5.6, everyone was able to deploy, without any access rights asked?

Also, only user level admin is used in Corticon, so correct would be to have some special user, that is only for Corticon, add it to CcUsernamePassword.xml and check for it in OE backend?

Posted by Gertjan Hendriks on 23-Jan-2017 08:56

No, deployment from Corticon Studio to a Corticon Server is *with* access rights and is maintained via CcUsernamePassword.xml.

Invoking a Corticon Decision Service was previously without access rights asked.

To manage authentication for invoking a Corticon 5.6 Decision Service  please refer to the online documentation.

Posted by James Arsenault on 23-Jan-2017 09:25

Corticon's axis.war can be deployed using standard j2ee security practices; this his been true since inception. You can modify it's web.xml to use whatever authority you want for basic authentication (ex ldap) and define required roles for accessing endpoints (execute or admin).

In 5.6 we did not enhance axis.war; the work done was to make all the Corticon tooling support using basic authentication when accessing the server.

This thread is closed