Versions Compared

Old Version 15

changes.mady.by.user Unknown User (r.arts)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (d.necas-niessner)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes the best practices concerning security when installing and using Blueriq. 

Blueriq Studio

User management

When running the installer to install Blueriq Studio (Installer), 3 users are created:

...

Note
Please make sure to change the default password during installation.

After the typical / custom installation the users are stored locally. Although the credentials are encrypted within Studio, it is advisable to authenticate against an Active Directory instead. This way managing users is done outside Blueriq and you have more control over password and lockout policies. Also the passwords are stored in the Active Directory and not within Studio.

To install or change Blueriq Studio security and user management, please read this article: Studio

Since Blueriq 9.7 we've added Kerberos support which is the prefered protocol by Microsoft over NTLM: Kerberos support

Securing the administation page

During installation of Studio, an administration console is also installed. Via this console it is possible to download or upload a Studio repository. The Studio repository contains the models and business logic so it is advisable to secure this console. This is done by following the steps in this article: Studio.

Encrypting a project export

In Studio, it is possible to export a project (.zip file) which can be deployed to the Blueriq Runtime (Export a project). It's advisable to check the "Encrypt" box before exporting so the .zip file does not contain the application model in plain text. Instead of exporting project manually, Blueriq also provides an application called Blueriq Publisher which automates the distribution of applications over environments.

Blueriq Runtime

Installation

Installing the Blueriq Runtime is done by following the steps in one of the articles below:

Please read these articles to know more about the inner workings of the Blueriq Runtime (Blueriq RuntimeDeveloping with Blueriq Studio and Runtime). With the release of Blueriq 10 in Q1 2017, configuring the Blueriq Runtime will change quite a bit so please make sure to read the Blueriq 10.0 Release Notes before migrating to R10.

Encrypting connection passwords

In a development environment, after installation, the first thing that needs to be done is connecting to a Blueriq Studio to retrieve projects. This can be done by editing the aquima.properties (R10: application-dev.properties) or via the development dashboard (Configure Studio connection). In R9 it is advisable to use the development dashboard to connect because this way the password is encrypted.  

Other connections like SOAP or REST connections which use authentication should also be configured using the development dashboard so these passwords are encrypted as well (Solutions for configurable web service location).

In R10, Blueriq provides a password encryptor which can be used without the development dashboard Encrypting passwords with the BlueriqEncryptor.

Runtime protection

To make sure the Blueriq Runtime is fully protected against hacking attempts, please check if all the Security flags are enabled. Blueriq has a security-by-default policy so after installation, Blueriq Runtime is configured to be as secure as possible. Although it is possible to disable these flags, this should be done with great care and fully aware of the consequences.

Authentication

Out-of-the-box, Blueriq comes with an in-memory authentication provider. This default implementation should be used for development purposes as they store the credentials in plain text on the filesystem. To configure an authentication provider for production purposes, please read Runtime Authentication and HTTP Security in java Runtime.

Blueriq session & cookie

Blueriq Runtime and Publisher are using the HTTP session to store data before it is persisted. As stated by OWASP, the session timeout should be set as low as possible (https://www.owasp.org/index.php/Session_Timeout). Depending on your infrastructure it is possible to set the Secure flag of the cookie (https://www.owasp.org/index.php/SecureFlag).

Both the session timeout and the secure flag can be configured by following the steps in the articles below:

 

...

Best practices about security can be found here: Security.