Expand Collapse
Just a second...

Securing the console

Configuration is required to enable additional security around connections from the Diffusion™ console.

Allow the console to connect only on a specific connector

We strongly recommend that you only allow the console to connect to Diffusion through a single connector. The port this connector listens on can be blocked from connections from outside of your organization by your load balancer.

You can configure this in the following way:
  1. In etc/WebServer.xml define a web server that does not contain a file-service. The console will not be accessible via this web server. For example, this web server contains only a client-service definition: 
       <web-server name="external">
        <client-service name="client" debug="true">
            <message-sequence-timeout>4s</message-sequence-timeout>
            <websocket-origin>.*</websocket-origin>
            <cors-origin>.*</cors-origin>
        </client-service>
    </web-server>
  2. Use this web server for external client connections by declaring it in etc/Connectors.xml. 
       <connector name="Client Connector">
        <port>8080</port>
        <web-server>external</web-server>
        <!-- Additional connector configuration -->                    
    </connector>
  3. In etc/Connectors.xml, create a new connector that defines a specific port that you will use for internal connections to the console. This connector should not use the external web server that we defined earlier. Either use the default web server defined in etc/WebServer.xml or define a new web server which contains a file-service and a client-service. 
       <connector name="console connector">
        <port>8123</port>
        <web-server>default</web-server>
        <!-- Additional connector configuration -->                    
    </connector>
  4. With the console accessible via the new connector, you can now prevent outside traffic from having access to the specified port in your load balancer.
  5. If required, apply additional connection restrictions.
    • You can use a connection validation policy. For more information, see ConnectionValidationPolicy.xml.
    • You can set these restrictions in your load balancer.

Disable console features in the configuration (as required)

The actions that a user can perform using the console are controlled by roles and permissions. The principal that the user uses to log in to the console must have a role with the permissions required to perform an action in the console.

A principal with the ADMINISTRATOR or OPERATOR role can use all of the functions of the Diffusion console.

To restrict users to using a smaller set of console features, ensure they use a principal with a more restrictive set of roles and permissions. For more information, see Pre-defined roles.