This article describes the best practices concerning security when installing and using Blueriq.
Blueriq Studio
User management
When running the installer to install Blueriq Studio (Installing Blueriq), 3 users are created:
- admin
- runtime
- administationpage
After the typical / custom installation the users are stored locally. Although the credentials are encrypted within Studio, it is advisable to authenticate against an Active Directory instead. This way managing users is done outside Blueriq and you have more control over password and lockout policies. Also the passwords are stored in the Active Directory and not within Studio.
To install or change Blueriq Studio security and user management, please read this article: Studio Configuration
Since Blueriq 9.7 we've added Kerberos support which is the prefered protocol by Microsoft over NTLM: Kerberos support
Securing the administation page
During installation of Studio, an administration console is also installed. Via this console it is possible to download or upload a Studio repository. The Studio repository contains the models and business logic so it is advisable to secure this console. This is done by following the steps in this article: Studio Configuration.
Encrypting a project export
In Studio, it is possible to export a project (.zip file) which can be deployed to the Blueriq Runtime (Export a project). It's advisable to check the "Encrypt" box before exporting so the .zip file does not contain the application model in plain text. Instead of exporting project manually, Blueriq also provides an application called Blueriq Publisher which automates the distribution of applications over environments.
Blueriq Runtime
Installation
Installing the Blueriq Runtime is done by following the steps in one of the articles below:
Please read these articles to know more about the inner workings of the Blueriq Runtime (Blueriq Runtime, Developing with Blueriq Studio and Runtime). With the release of Blueriq 10 in Q1 2017, configuring the Blueriq Runtime will change quite a bit so please make sure to read R10 Configuration changes [editor] before migrating to R10.
Encrypting connection passwords
In a development environment, after installation, the first thing that needs to be done is connecting to a Blueriq Studio to retrieve projects. This can be done by editing the aquima.properties (R10: application-dev.properties) or via the development dashboard (Configure Studio connection). In R9 it is advisable to use the development dashboard to connect because this way the password is encrypted.
Other connections like SOAP or REST connections which use authentication should also be configured using the development dashboard so these passwords are encrypted as well (Solutions for configurable web service location).
In R10, Blueriq provides a password encryptor which can be used without the development dashboard Encrypting passwords with the BlueriqEncryptor [editor].
Runtime protection
To make sure the Blueriq Runtime is fully protected against hacking attempts, please check if all the Security flags are enabled. Blueriq has a security-by-default policy so after installation, Blueriq Runtime is configured to be as secure as possible. Although it is possible to disable these flags, this should be done with great care and fully aware of the consequences.
Authentication
Out-of-the-box, Blueriq comes with an in-memory authentication provider. This default implementation should be used for development purposes as they store the credentials in plain text on the filesystem. To configure an authentication provider for production purposes, please read Runtime Authentication [editor] and HTTP Security in java Runtime [editor].
Blueriq session & cookie
Blueriq Runtime and Publisher are using the HTTP session to store data before it is persisted. As stated by OWASP, the session timeout should be set as low as possible (https://www.owasp.org/index.php/Session_Timeout). Depending on your infrastructure it is possible to set the Secure flag of the cookie (https://www.owasp.org/index.php/SecureFlag).
Both the session timeout and the secure flag can be configured by following the steps in the articles below: