• Front Page
• NESSTAR SERVER
  • Introduction
  • Components
  • Publishing
• CONFIGURATION & ADMINISTRATION
  • Installation
  • Basic Configuration
  • Webview Settings
  • External Database
  • Network Setup
  • Server Administration
  • Migration
  • Language Pack
  • Security
  • User Management
  • Miscellaneous
• ACCESS CONTROL UNIT
  • Introduction
  • Basic Customization
  • Advanced Customization
  • Appendix
• MAPPING
  • Introduction
  • Installing GeoServer
  • Preparing Maps
  • Publishing Maps
  • Using Maps
  • Miscellaneous
• LINKS
  • Webview Help
  • Publisher Help
  • Contact
  • Home
  • NSD

Security

Access Control

In order to protect the data (and the servers themselves) from unauthorised access, the server includes an Access Control Unit (ACU). The ACU enforces the access control policy defined in the server Access Control Policy file. The policy specifies the access control conditions that apply to each resource. Complex conditions can be defined relative to the kind of user, the purpose in using the data (commercial, research, etc.), the kind of operation required, and the legal conditions accepted by the users. On the base of this information the ACU can protect the resources and also "drive" the user in the process of acquiring the necessary rights (for example the user might be required to login, to agree to some conditions, etc.). The ACU can be customized by defining additional site-specific conditions and/or connections to the site user database.

The Default Access Control Policy

The Access Control Policy file installed by default defines a few basic types of users with the following rights:

• anonymous: can browse and search the studies metadata
• authorised and guest: can also perform statistical operations
• fully authorised: can also download and subset data
• publisher: can also publish data and metadata
• administrator: can perform any operation

Customising the Access Control Policy

The Nesstar ACU can be customised to implement different access control policies. For more information refer to the Nesstar ACU Customisation Guide.

Enabling SSL (Secure Socket Layer)

The default installation provides only a non-secure connection between the client and browser. If you wish to provide a secure encrypted communication route (https), you must enable the secure sockets protocol.

Nesstar comes with a self-signed certificate out of the box. This certificate will enable users to communicate with the server over an encrypted connection. To enable this set the ‘Secure Sockets’ option in the configuration tool to ‘true’. Setting ‘Open Sockets’ to ‘false’ will enforce an encrypted connection. Leaving both open will allow the user to choose.

Note that the certification shipped by Nesstar is not signed by a known Certificate Authority (CA). This will therefore cause web browsers to prompt the user to accept the certificate.

Using this certificate will also require anyone who wants to use the Nesstar Publisher to publish data to the secure Nesstar Server, to import the certificate into their Publisher’s keystore. To do this, the file named ‘nesstar.cer’ has to be copied from the Nesstar Server’s ‘config’ directory to where the Publisher is installed, and then to run the ‘importcert.bat’ script, that is shipped with Nesstar Publisher. Please refer to the Publisher User Guide for further information.

If you want to use a certificate signed by a proper Certification Authority (CA) instead, you will need to contact a CA to sign a certificate for you. When you have received a signed certificate, you can install it into the Nesstar Server’s keystore using the instructions below. The publisher will already accept certificates that are signed by the common CAs.

To install a signed certificate:

1. Start cmd.com in Windows by typing cmd.com into the run dialog box in the Start menu, or a shell in Unix/Linux.
2. Change directory to where the Nesstar Server is installed.
3. Change to the ‘config’ directory.
4. Delete the old, self signed certificate as follows:

In Windows, type in these two lines:
del nesstar.cer
..\jre\bin\keytool.exe -delete -v -noprompt -trustcacerts -alias nesstar
-keypass changeit -keystore .keystore -storepass changeit

In Unix/Linux, type in these two lines:
rm nesstar.cer
$JAVA_HOME/bin/keytool -delete -v -noprompt -trustcacerts -alias nesstar
-keypass changeit -keystore .keystore -storepass changeit

5. Copy your signed certificate into this directory. Make sure it is called nesstar.cer
6. Check that the certificate is in the right format as follows:

In Windows, type:
..\jre\bin\keytool.exe -printcert -file nesstar.cer

In Unix/Linux, type:
$JAVA_HOME/bin/keytool -printcert -file nesstar.cer

This should give you some information about the certificate. If not, the certificate is either corrupt, or in the wrong format. If the certificate is in the wrong format (typically .pem format), you will need to convert it. OpenSSL provides free tools to do this for most platforms (http://www.openssl.org/).

7. Having confirmed that the certificate is in order, you will need to import it into the keystore:

In Windows, type:
..\jre\bin\keytool.exe -import -v -noprompt -trustcacerts -alias nesstar
-file nesstar.cer -keypass changeit -keystore .keystore -storepass changeit

In Unix/Linux, type:
$JAVA_HOME/bin/keytool -import -v -noprompt -trustcacerts -alias nesstar
-file nesstar.cer -keypass changeit -keystore .keystore -storepass changeit

Copyright © 2012 Norwegian Social Science Data Services