Welcome Guest! Log in
Stambia versions 2.x, 3.x, S17, S18, S19 and S20 are reaching End of Support January, 15th, 2024. Please consider upgrading to the supported Semarchy xDI versions. See Global Policy Support and the Semarchy Documentation.

The Stambia User Community is moving to Semarchy! All the applicable resources have already been moved or are currently being moved to their new location. Read more…


A Runtime installed with the default configuration can be accessed by anyone.

Any user can connect and make operations on it, such as listing or executing sessions.

This behavior can be configured easily in the Runtime Properties, that offer the possibility to secure the connection through a user / password system, with roles, and hostname / IP restriction.

Prerequisites:

  • Stambia DI Designer S18.3.0 or higher
  • Stambia DI Runtime S17.4.0 or higher

 

Configuration

Activating the security

Open the <stambiaRuntime>/properties/engineParameters.xml file.

Then, uncomment or add the security node:

<security>
<user anonymous="true" roles="Connect View"/> <user name="admin" uncryptedPassword="admin" roles="Admin"/> <user name="developer" uncryptedPassword="developer" roles="Connect View Execute"/> <user name="consult" uncryptedPassword="consult" roles="Connect View"/> <allow address="192.168.0.42"/> </security>

 

User restriction

You can define as many "user" node as required and the syntax is the following:

<user name="user01"  password="encrypted password" uncryptedPassword="plain text password" roles="Connect View Execute"/>

 

The following roles are available:

Role Description
Connect The user can connect to the Runtime (required).
View The user can list and view all the sessions of the Runtime.
Execute The user can execute deliveries on the Runtime.
Admin

The user has the full permissions on the Runtime. This is required for operations such as purging the sessions or scheduling deliveries.

 

Notes:

  • Only one of the "password" or "uncryptedPassword" should be set
  • The password is encrypted with the encrypt <password> Runtime command
  • The user restriction also applies on Stambia Published Web Services that will require a Basic HTTP Authentication.

 

About the Anonymous User:

An anonymous user can be set, to specify the permissions of the users that connect to the Runtime without specifying credentials.

<user anonymous="true" roles="Connect View"/>

 

When the anonymous user is set, it is therefore not mandatory to specify credentials when connecting.

The connected user will have the permissions of the anonymous user.

 

When the anonymous user is not set, specifying credentials when connecting is mandatory.

Anonymous connections will then be rejected.

 

Only one anonymous user can be set at a time.
Anonymous users are supported from Stambia DI Runtime S17.4.5 and higher
The security node must contain at least one user, which can be a normal or anonymous user.

 

Hostname / IP restriction

You can also define as many "allow" node as required.

They are used to specify the hostnames / IP address allowed to connect to the Runtime.

If none are defined, all the addresses are authorized.

<allow address="hostname or IP address"/>

 

Note that until S20.4.1 Runtime version, the filtering was only applied on RMI communications. Please use S20.4.1 or higher if you want it to be applied also on HTTP communications.

Notes:

  • For the HTTP connection, the IP address restriction requires that the IP address be defined on the server in the runtime editor or on the host in the runtime metadata, in the Stambia DI Designer.
  • Refer to this article for more information.

Restart

That's it!

At the next restart, the Runtime's connection will be secured with the settings defined in the security node.

 

Externalizing the security configuration in another file

If needed, the security configuration can be externalized in another file than engineParameters.xml.

For this, simply put your security node inside another file (security.xml file for instance).

Then, add or uncomment the following line in the engineParameters.xml file.

<security  file="./security.xml"/>

 

Note

A sample is available in the <stambiaRuntime>/properties/samples/engineParameters/ folder of the Runtime

 

That's it!

At the next restart, the Runtime's connection will be secured with the settings defined in this file.

 

Connecting to a secured Runtime from the Designer

To connect to a secured Runtime from your Designer, refer to this article.

 

Articles

Suggest a new Article!