Protecting the analytics data entry point with basic authentication

We can configure the security of the MPF Operational Analytics to protect the data entry point using basic authentication.

Data is sent from the MobileFirst Server to the MPF Operational Analytics when the following MPF property is set:

wl.analytics.url=http://host:<port>/<context-root>/data

The IBM MobileFirst Platform Operational Analytics exposes this path and it is unprotected by default. This path can be protected with basic authentication (user name and password) using the following steps.

1. Open the WEB-INF/web.xml file in the WAR file. We must extract the WAR file or use a tool to manipulate compressed files.

2. Search for a commented-out section called Basic Authenication, and uncomment the section.

   <!-- Basic Authentication -->
     <security-constraint>
       <web-resource-collection>
         <web-resource-name>data</web-resource-name>
         <url-pattern>/data</url-pattern>
       </web-resource-collection>
       <auth-constraint>
         <role-name>admins</role-name>
       </auth-constraint>
     </security-constraint>
     <login-config>
       <auth-method>BASIC</auth-method>
     </login-config>

3. Replace the role name with the role that is configured for the server.

4. In worklight.properties, set the wl.analytics.username and wl.analytics.password values for basic authentication. For more information about encrypting sensitive information in worklight.properties, see Storing properties in encrypted format.

   wl.analytics.username=bob
   wl.analytics.password=foo

Results

After completing these steps, the MPF Operational Analytics no longer accepts any incoming data unless the request also contains the correct credentials. When the wl.analytics.username and wl.analytics.password values are set, the MobileFirst Server uses these credentials when it forwards data to the MPF Operational Analytics. For more information about IBM MobileFirst Platform Foundation properties, see MobileFirst properties.

These configuration steps protect only the /data path that accepts incoming data. It does not protect the console.

Example

The following example shows the equivalent configuration in the Liberty server.xml file:

<application context-root="/analytics"
             id="analytics"
             location="analytics.war"
             name="analytics"
             type="war">
  <application-bnd>
    <security-role name="admins">
      <user name="bob" />
    </security-role>
  </application-bnd>
</application>
<basicRegistry id="basic">
  <user name="bob" password="password" />
</basicRegistry>

Parent topic: IBM MobileFirst Platform Operational Analytics security