End-to-end security for a WSA

Posted by Tim Kuehn on 15-Sep-2015 09:49

I've got a WSA on a server, and multiple clients that call it, and the whole system is under the customer's control.

The system uses a username/password style "in the clear" (ie plaintext), and now that it's working I would like to secure the connection from prying / snooping eyes. 

What would be the appropriate mechanism to accomplish this goal? 

OpenEdge Development - Forum

All Replies

Posted by Mike Fechner on 15-Sep-2015 09:53

https/ssl on the web server (Tomcat)?
Von: Tim Kuehn [mailto:bounce-timk519@community.progress.com]
Gesendet: Dienstag, 15. September 2015 16:50
An: TU.OE.Development@community.progress.com
Betreff: [Technical Users - OE Development] End-to-end security for a WSA
 
Thread created by Tim Kuehn

I've got a WSA on a server, and multiple clients that call it, and the whole system is under the customer's control.

The system uses a username/password style "in the clear" (ie plaintext), and now that it's working I would like to secure the connection from prying / snooping eyes. 

What would be the appropriate mechanism to accomplish this goal? 

Stop receiving emails on this subject.

Flag this post as spam/abuse.

Posted by TheMadDBA on 15-Sep-2015 10:34

What Mike said.... also enable SSL connections for the appservers

See these two KB entries for a start:

knowledgebase.progress.com/.../P122519

knowledgebase.progress.com/.../P163118

Posted by Tim Kuehn on 15-Sep-2015 11:11

What are the maintenance implications of using SSL certs?

Has anyone done SSH tunneling and could relate what that experience?

Posted by Brian K. Maher on 15-Sep-2015 11:15

Tim,
 
Figured I would throw this out there ... just my personal belief, but trying to "bolt on" security after the fact seldom works well.  Security needs to be built in from the very beginning of the design phase.
 
Brian

Posted by Tim Kuehn on 15-Sep-2015 11:36

Brian - I agree - though I'm wondering what I should be looking at then? If I was working on an application with various roles and things like that, then yes - bolt-on-after-the-fact would be a disaster. In this case the basic structure is a single server hosting a WSA with various clients polling it over the internet on a periodic basis. The customer controls both ends of the WSA call, so I'm thinking as long as I secure the end-points and the pipe in a manner similar to how SSL, SCP or SFTP works, I'll be good.

Posted by TheMadDBA on 15-Sep-2015 11:55

Maintenance of the certs would depend on how often (if ever) you would want to change the certificates. It should be something you would do every year at the most, probably once every few years.

Security in the app side would depend on how easy it would be for one customer to change part of the request mechanism to access other customers data. And if you have sensitive data stored in a database.

Without knowing more about the app it would be hard to say. Assuming there is a database involved... transparent data encryption, tight database user control and dbauthkey branded code and database would be a good start.

This thread is closed