The center of a Corticon deployment are the Corticon Servers where you deploy Decision Services. Configuring basic authentication on the Corticon Servers controls which users and external processes can call Decision Services or perform administrative operations. You can extend authentication to use LDAP directory services.
When administrators use theCorticon Web Console to manage and monitor any Corticon Servers that are configured for basic authentication, each server definition must include the username and password that the Web Console can present to authenticate on the managed server. When accessing the Web Console from a browser, you must supply username/password credentials.
When developers deploy Decision Services from Corticon Studio, they can either deploy directly to a Corticon Server or to a Web Console which will then deploy the Decision Service to one or more Corticon Servers on your behalf. If using the Web Console to manage your deployment, you should deploy through it. In either case, you need to provide credentials and have administrative rights to perform a deployment.
When system integrators use Corticon REST and SOAP APIs to access a secured server, the connection information must have valid credentials before any calls to a Decision Service are allowed.
Note: The Corticon Server installer bundles an instance of the Progress® Application Server (PAS) for the Corticon Java Server and for Corticon Web Console. PAS is an instance of Tomcat 8 that has been hardened to remove known vulnerabilities. You can choose to deploy with this application server or a preferred, supported application server. While the documentation assumes PAS deployment, the principles presented can be applied to other application servers.
Configuring Corticon Server authentication
Configuring basic authentication for a Corticon Server is done through the web.xml file in Corticon Server's axis.war file. This file is the deployment descriptor for the Corticon Server when deployed to an application server. Within it, you configure authentication for accessing the Corticon Server.
By default, basic authentication is not enabled and Corticon is using the user definitions in the tomcat-users.xml file, a plain text file located in the application server's conf folder. For production deployments, it is recommended that you enable basic authentication and define security constraints for accessing the Corticon Server. The specifics of this can vary based on your requirements and your authentication service.
The bundled web.xml file contains a commented-out section showing common settings. Typically you want to define security constraints to limit the ability to call a Decision Service or perform administrative actions to authenticated users with specific defined roles.
Note: You are able to configure the role required to call a Decision Service but you cannot refine this to specific Decision Services. If a user can call any Decision Service, they can call them all.
Uncommenting the sample basic authentication configuration in web.xml and restarting the Corticon server enables basic authentication for ALL calls to the Corticon Server. You can restrict defined user roles to specified URLs, as described in Securing Server endpoints
Configuring Web Console authentication
The Web Console requires that you provide a valid username/password to access it. By default, the Web Console stores authorized usernames and passwords in its bundled database.
Note: About LDAP - In a production deployment you typically want to configure the Corticon Web Console to use an LDAP service such as Microsoft's Active Directory. See the topic Using LDAP for Web Console authentication for details on configuring LDAP.
Configuring authentication in server test scripts
Corticon includes the testServerRest and testServerAxis command line utilities for testing aspects of the REST and SOAP APIs. If a Corticon Server has basic authentication enabled you will need to provide username and password credentials by entering transaction number 0 (zero). This allows you specify credentials for establishing a session with a Corticon server. For example:
Enter transaction number: 0
Input new URL to J2EE Web Server: http://localhost:8850
Input new Web Application name: axis
(optional) Username if using a secured server: admin
(optional) Password if using a secured server: admin
When using Corticon Studio to access a Corticon Server that has basic authentication enabled, you need to provide username and password credentials for that server. This occurs when publishing or downloading a Decision Service or running rule tests against a deployed Decision Service. For example:
Ruletests on Servers - When a Corticon Studio Ruletest wants to use a deployed server to test its rules, authentication will require credentials permit both Admin and Execution operations to enable connection to the server. To support this functionality the Select Test Subject dialog's Run against Server tab, as shown:
The credentials are saved within each Testsheet for automatic re-use later.
Ruletests on Servers - When a Corticon Studio Ruletest wants to use a deployed server to test its rules, authentication will require credentials permit both Admin and Execution operations to enable connection to the server. To support this functionality the Select Test Subject dialog's Run against Server tab, as shown: