15.7. Tunnelling Security - Best Practices
Prev Chapter 15. Security Next

15.7. Tunnelling Security - Best Practices

Installation

Each DataHub installation should only be writeable by system administrators. Users should only have read permissions on the installation directories. The default installation folder is within the C:\Program Files\ tree, which already has these permission settings.

Configuration Folder

Every running DataHub instance reads and stores its configuration in a configuration folder. This folder can contain sensitive information like user names and passwords. In addition, the configuration folder determines which scripts will run when the DataHub instance starts, and those scripts have access to the operating system and file system. The configuration folder should be configured to allow read and write access only to system administrators and the user credential under which the DataHub instance will run. The default configuration folder is located within the C:\Users\ tree, which already has reasonable permission settings.

On the Tunnel Master

  1. In Tunnel/Mirror Master options:

    • Disable Accept plain-text connections on service/port.

    • Install a valid certificate issued by a recognized certification authority (CA). Use either a third-party CA like Verisign, or create your own CA. Install the certificate into the Windows Trusted Root Certification Authorities certificate store on this machine.

  2. In Security Permissions:

    • Create a new user by entering a UserName and Password.

    • Add that user to the BasicConnectivity and HTTP groups. Do not add the user to the Admin or RemoteConfig groups unless the user needs the ability to modify the DataHub configuration.

    • Disable all groups for the users: Anonymous, TCP, and Mirror.

  3. In the Web Server options, if you plan to connect via WebSocket:

    • Select Use secure sockets (SSL).

    • Select your SSL certificate file in the SSL certificate file entry field. It is OK to use the same certificate that you used in Tunnel/Mirror Master options (above).

On each Tunnel Slave

  1. Install your CA certificate (see above) into the Windows Trusted Root Certification Authorities certificate store on this machine.

  2. For each connection:

    • Enable Secure (SSL).

    • Enable Reject invalid certificate.

    • Enable Reject host name mismatch.

    • Specify the Remote user name and Remote password as configured in the Tunnel Master Security Permissions (see above).

Prev Up Next
15.6. Passwords Home Chapter 16. Making Notifications