Skip to content

How do I improve the security of my implementation?

Andreas Both edited this page Nov 13, 2022 · 1 revision

This page details options to help to improve the security of your Qanary question answering system.

Enable Support for encrypted communication / Secure Sockets Layer SSL Support

The Qanary pipeline template and Qanary components can be started with SSL support. The required configurations are described below.

Java Components and Pipeline (Spring Boot)

The necessary properties have to be set in the application.properties file or passed with the -switch -D:

Property Description

server.ssl.enabled

(boolean) enable SSL

server.ssl.key-store

path to the key store that contains the SSL certificate

server.ssl.key-store-password

password used to access the key store

server.ssl.key-store-type

type of the key store (JKS or PKCS12)

Important remark

Components use the property server.host to register at the Spring Boot Admin of the Qanary pipeline. Because the host currently cannot be determined dynamically, it needs to be set to server.host=https://<host_address> in order to be found by the Spring Boot Admin instance.

Using Docker for running your components

When using Docker containers, these settings should not be included in the image!

To enable SSL for a Qanary service running in a Docker container, use environment variables (they have the corresponding semantics as described earlier):

  • SERVER_SSL_ENABLED

  • SERVER_SSL_KEY-STORE

  • SERVER_SSL_KEY-STORE-PASSWORD

  • SERVER_SSL_KEY-STORE-TYPE

  • SERVER_HOST (optional)

Make the key-store available within the container with the use of volumes.

Example:

  • if

    • SERVER_SSL_KEY-STORE is set to /certificate/keystore.p12 (location inside the image), and

    • the keystore file is located in /home/user/local_certificate/ (location on your local machine),

  • then pass -v /home/user/local_certificate/:/certificate/ when starting the container.

Python Components

To enable SSL support for the currently implemented Python components (like Expected Answer Type classification component) the following environment variables need to be set:

  • SERVER_SSL_CERTIFICATE - path to the certificate file (.cert)

  • SERVER_SSL_KEY - path to the key file (.key)

  • SERVICE_HOST - HTTPS host address of the component

Use a volume to keep the certificate private: -v /home/user/local_certificate/:/certificate/

Remark

When implementing this functionality for your own component, you may need to change how you start the service, depending on the used framework. For example, when using Flask in combination with Gunicon the arguments --certfile and --keyfile need to be passed in order to start a service with SSL enabled.

Configure Web Access

You can configure access to /configuration and /applications to be password-restricted - redirecting the user to a login form - or deny web access completely.

The necessary properties have to be set in the application.properties file or passed with the switch -D:

Property Description

configuration.access

disallow: web access is disabled;
web: web access is allowed

configuration.username

(optional) username for allowed web access

configuration.password

(optional) password for allowed web access

Qanary Pipeline: Restrict Web Access by Password

You can configure access to /configuration and /applications to be password-restricted - redirecting the user to a login form - or deny web access completely.

The necessary properties have to be set in the application.properties file or passed with the switch -D:

Property Description

configuration.access

disallow: web access is disabled
web: web access is allowed

configuration.username

(optional) username for allowed web access

configuration.password

(optional) password for allowed web access

Clone this wiki locally