You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.
Technical knowledge assumed
This guide on HTTPS configuration and implementation assumes a foundational understanding of web security, networking, and server administration. The instructions provided are intended for individuals with technical expertise in these areas.
This page describes how to enable HTTPS for the Studio server to ensure secure and encrypted communitation with the Studio server and its clients. The Studio server includes the Managment Service. Examples of clients are: Blueriq Encore, Development Dashboard (Runtime) Blueriq Publisher, and the Blueriq Model Analyzer (BMA).
Approaching your Blueriq installation from within an internal network over HTTPS, as shown in the figure on the right, requires to enable HTTPS for the Blueriq site in Internet Information Services (IIS).
Enable HTTPS in Internet Information Services (IIS)
- Open Internet Information Services (IIS) Manager on the site where Blueriq is installed.
- Select the Blueriq site and from the context menu, open the Bindings... dialog:
- Add a new binding of type 'HTTPS' and select the certificate you want to use. In this example, we use a self signed certificate, which is not recommended on a production environment.
- Click on 'View' to check the 'Issued to' property of the certificate. In a real situation, the 'Issued to' field should be the host of your Blueriq deployment instead of localhost:
- Now select OK in both the 'Certificate' and 'Add Site Binding' dialog.
- It is recommended but not required to remove any site binding of type 'HTTP' from the list of site bindings.
- To use HTTPS, go to the 'Issued to' host from step 4, using the https scheme. In this example, that is https://localhost/.
- The URL for user management in Keycloak will be: https://localhost/Keycloak/admin/master/console/#/BlueriqStudio17 for Blueriq 17
Establishing a connection from the runtime dashboard to the Studio server
If you have removed the HTTP binding in step 6, the URL of the management service has changed which makes it likely that the runtime dashboard does not display the list of projects that are available in Blueriq Encore anymore.
To fix this, the blueriq.studio.url property needs to be updated in the application-development-tools.properties file in the conf folder of the runtime.
There are two options:
- use the external port, e.g.: https://localhost/Studio/Server/Services/ManagementService
If you are using a self signed certificate, you will have to add this certificate to the java truststore as explained here: Security: HTTPS
- use the internal port if the runtime is deployed on the same server as the Studio server (http://localhost:17093/Services/ManagementService for Blueriq 17)
Additional configuration for a reverse proxy
When you want to be able to approach Blueriq from an external network, you may want to take some extra security measures such as a reverse proxy and firewalls as shown in the figure below.
Running the Blueriq installation behind a reverse proxy requires the correct headers to be forwarded for Keycloak. To do so:
- Open Internet Information Services (IIS) Manager on the site where Blueriq is installed.
- Select the Blueriq site and open 'URL Rewrite'
- Open 'ReverseProxy_Keycloak' and set the following headers in the 'Server Variables' section:
- HTTP_X_FORWARDED_HOST should be your hostname from which you approach the Blueriq installation
- HTTP_X_FORWARDED_PROTO should be https
Use the runtime behind a reverse proxy server
Additionally, read more about using the runtime behind a reverse proxy server here to configure the runtime dashboard so that it is able to retrieve the list of projects that are available in Blueriq Encore.
Overview
Content Tools