Last year Estonia got its first Corticon instance and I was part of the project as technical consultant. We did the POC and it worked well and client got what he wanted. Now the client sent me lots of questions, but since it was my first POC and I have not had the experience, to talk about best practices, I have come here to use the whole community knowledge in answering the questions.
I do not want to overwhelm, so I will ask one by one:), so the first question is about security best practices
How to set up security in Corticon, currently anyone can deploy without password and get data from Progress without password. So what is the best practice in securing deploying and securing sending data from OE to Corticon and back.
What version of Corticon did you implement at your customer?
Currently only version 5.6 provides authentication-options for accessing the decision services:
User authentication for deployment can be found in the CcConfig.jar of Corticon Server. Open the jar by using WinZIP, 7ZIP or WinRAR and edit the file where the usernames and passwords are stored:
As far as I know, only user level admin is used in Corticon (please correct me if I'm wrong on this)
Progress® Corticon® Server & Studio 5.6 is in the licence:)
Thank you for the answer.
Do I understand correctly, that before 5.6, everyone was able to deploy, without any access rights asked?
Also, only user level admin is used in Corticon, so correct would be to have some special user, that is only for Corticon, add it to CcUsernamePassword.xml and check for it in OE backend?
No, deployment from Corticon Studio to a Corticon Server is *with* access rights and is maintained via CcUsernamePassword.xml.
Invoking a Corticon Decision Service was previously without access rights asked.
To manage authentication for invoking a Corticon 5.6 Decision Service please refer to the online documentation.
Corticon's axis.war can be deployed using standard j2ee security practices; this his been true since inception. You can modify it's web.xml to use whatever authority you want for basic authentication (ex ldap) and define required roles for accessing endpoints (execute or admin).
In 5.6 we did not enhance axis.war; the work done was to make all the Corticon tooling support using basic authentication when accessing the server.
James Arsenault | Product Development | Progress Software email: email@example.com | direct: 781-280-4934