Just a second...

Securing the console

Configuration is required to enable additional security around connections from the Diffusion™ console.

Allow the console to connect only on a specific connector

We strongly recommend that you only allow the console to connect to Diffusion through a single connector. The port this connector listens on can be blocked from connections from outside of your organization by your load balancer.

You can configure this in the following way:
  1. In your etc/Connectors.xml configuration file, wherever the line <web-server>default<web-server> appears in a connector that receives external connections, replace it with a web server definition that contains only a client-service definition. For example:
        <web-server name="external">
            <!-- This section enables HTTP-type clients for this Web Server -->
            <client-service name="client" debug="true">
                <!-- This parameter is used to re-order out-of-order messages received
                     over separate HTTP connections opened by client browsers. It is rarely
                     necessary to set this to more than a few tens of seconds.
                     If you attempt to set this value to more than one hour, a warning is logged
                     and a timeout of one hour is used. -->
                <message-sequence-timeout>4s</message-sequence-timeout>
                <!-- This is used to control access from client web socket to diffusion.
                    This is a REGEX pattern that will match the origin of the request (.*) matches
                    anything so all requests are allowed -->
                <websocket-origin>.*</websocket-origin>
                <!-- This is used to control cross-origin resource sharing client connection to Diffusion
                    This is a REGEX pattern that will match the origin of the request (.*) matches anything -->
                <cors-origin>.*</cors-origin>
            </client-service>
        </web-server>
  2. Create a new connector in your etc/Connectors.xml configuration file that defines a specific port that you use for internal connections to the console.

    In this connector, set the value of the web-server element to default.

  3. In your load balancer, prevent outside traffic from having access to the port specified in the new connector.
  4. If required, apply additional connection restrictions.
    • You can use a connection validation policy. For more information, see ConnectionValidationPolicy.xml.
    • You can set these restrictions in your load balancer.

Disable console features in the configuration (as required)

The actions that a user can perform using the console are controlled by roles and permissions. The principal that the user uses to log in to the console must have a role with the permissions required to perform an action in the console.

A principal with the ADMINISTRATOR or OPERATOR role can use all of the functions of the Diffusion console.

To restrict users to using a smaller set of console features, ensure they use a principal with a more restrictive set of roles and permissions. For more information, see Pre-defined roles.