Security recommendations for production environment

There are considerations for security that you need to implement for your GAS installation in a production environment, such as what directories users can access.

Use the following list to ensure that your GAS is properly secured for users who interact with the GAS, and that users who run Genero applications on the GAS have the right level of access. You can simplify your security responsibilities as long as you adhere to good practice around system security and follow these recommendations.
  • Limit user access to the machine where the GAS is running.

  • Ensure the GAS installation directory ($FGLASDIR) and application data (appdata) directory are protected. At a minimum, restrict global access to these directories to their owner.

    For example, if the user allowed to start the dispatcher is the directory owner, the permission should initially appear as "drwx------" in directory listings in UNIX®/Linux®-like systems.

    Grant additional access to directories based on the administrative tasks a user will perform. For example, a user allowed to start the dispatcher (fastcgidispatch or isapidispatch) must have read, write, and execute access to specific directories within $FGLASDIR.

    To have different users with different access rights, use groups to organize your users and grant rights to the groups on the required directories. For example, create a group that can launch the dispatcher and permission that group accordingly; create a group for users who deploy applications and permission the group accordingly; and so on. For more details on setting permissions on directories, see Administrative groups permissioning.

  • In the GAS configuration file (as.xcf), set the LOG element to ERROR and WARNING only. The GAS logs may include sensitive or personal user data gathered during the normal course of running applications; access to these logs must be managed and protected.

  • In the GAS configuration file (as.xcf), ensure the SEND_VERSION element is set to FALSE. The SEND_VERSION configuration element controls the sending of the X-FourJs-Version header with the GAS version number to the user agent. By default dispatchers do not sent this header to avoid security issues.

  • Restrict access to the Genero demo web services and applications bundled with the Genero BDL installation. These demos should not be available to users.
    Note:

    By default, access to the Genero BDL Demos applications is allowed only to localhost (127.0.0.1). If you want to enable it for other client machines / IP addresses, you must define access in the ACCESS_CONTROL element.

  • Ensure there is no sensitive data in the GAS public directory ($FGLASDIR/web) and in the directory specified by DOCUMENT_ROOT.
  • For secure data exchange, use HTTPS by setting the SESSION_COOKIE "Secure" attribute to true: <SESSION_COOKIE Secure="TRUE">
  • Limit connection to the dispatcher entry point (port 6394 by default) to a specific server, like the Web server. Configure the dispatcher to only accept connections on one IP address by setting the LISTEN element. For example:
    <LISTEN>
      <ADDRESS>192.127.45.17</ADDRESS>
    </LISTEN>
  • If using the /monitor URL to view information on the status of the GAS dispatcher and on active applications, limit access to specific IP addresses by setting the MONITOR element. For example,
    <MONITOR>
      <ALLOW_FROM>127.0.0.1</ALLOW_FROM>
      <ALLOW_FROM>192.168.</ALLOW_FROM>
    </MONITOR>
    Note:

    The monitor page provides access to dispatcher and proxy / VM log files, which may contain some sensitive information. Access to the page must be restricted.

  • Ensure users executing applications have access limited to running the DVM and any needed program files and resources. For more information on managing user access rights, see Managing user access rights.

Administrative groups permissioning

The GAS has several types of administrators, and each type of administrator will require access to different directories within $FGLASDIR. Four Js recommends that you create groups to represent each type of administrator, allowing you to manage access permissions at the group level.

Note:

How permissions are granted and viewed for a directory will vary according to the operating system. For example, if read, write, and execute permissions are granted to the owner of the directory, and read and write permissions were granted to the group to which the directory belongs, the permission would appear as "drwxrw----" in directory listings in UNIX/Linux-like systems. See your operating system documentation for information on working with groups and managing file permissions.

These are the administrative types for the GAS; they represent the groups you should create.

Users allowed to start the dispatcher (fastcgidispatcher or iisdispatcher)
Grant read, write, and execute permissions to the group for the directories:
  • $FGLASDIR/bin
  • $FGLASDIR/lib
Users allowed to administer the dispatcher
Grant read and write permissions to the group for the directories:
  • $(res.appdata.path)/log
  • $(res.appdata.path)/session
  • $(res.appdata.path)/tmp
Users allowed to deploy Genero applications or services
Grant read and write permissions to the group for the directories:
  • $(res.path.app); set to $(res.appdata.path)/app by default.
  • $(res.path.services); set to $(res.appdata.path)/services) by default.
  • $(res.deployment.root); set to $(res.appdata.path)/deployment by default.
Users allowed to deploy Genero Browser Clients
Grant read and write permissions to the group for the directory:
  • $(res.gbc.deployment); set to $(res.appdata.path)/gbc_deployment by default.

Managing user access rights

When the Genero Application Server starts an application, the user needs to have rights to execute the DVM and access any needed program files and resources.

The fglrun process executes in the context of the operating system user running the Genero Application Server. Generally, this is the user running IIS when using the ISAPI connector or the user running Apache when using the FastCGI connector. You must ensure that a user has the permissions needed to:
  • Execute the DVM fglrun program
  • Access any needed DVM resources (ODI add-ons, configuration files, and so on)
  • Access any needed program files and resources (42r files, 42m files, 42f files, and so on)