Question
Is it possible to configure BA so that it accept APIs only from authorizated users?
Resolution
If authentication is enabled, it is possible to allow access to BA from outside network provided that BA user login and password are passed. External connection then is allowed using the port specified.
Note: These instructions are for BA 5.0, 5.1 and 5.4. Insctructions for BA 5.5 can be found in documentation, for 6.0.x - http://download.pa.parallels.com/pa/6.0/doc/pba/html/74931.htm (if version of BA is below 5.5.5 please also check the following article).
Perform the following actions on the BA Management Node to enable authentication:
Stop BA:
/etc/init.d/pba stop
Copy the configuration file /usr/local/bm/etc/ssm.conf.d/.xmlrpcd.conf to the /usr/local/bm/etc/ssm.conf.d/.xmlrpcd_auth.conf file:
cp /usr/local/bm/etc/ssm.conf.d/.xmlrpcd.conf /usr/local/bm/etc/ssm.conf.d/.xmlrpcd_auth.conf
Copy the configuration file /usr/local/bm/etc/ssm.conf.d/.xrproxy.conf to the /usr/local/bm/etc/ssm.conf.d/.xrproxy_auth.conf file:
cp /usr/local/bm/etc/ssm.conf.d/.xrproxy.conf /usr/local/bm/etc/ssm.conf.d/.xrproxy_auth.conf
Note: It is important that the copied files' names start with a dot.
Create two new empty files:
/usr/local/bm/etc/ssm.conf.d/xmlrpcd_auth.conf /usr/local/bm/etc/ssm.conf.d/xrproxy_auth.conf
Add the following strings into the /usr/local/bm/etc/ssm.conf.d/xmlrpcd_auth.conf file:
[environment] ATMName=XMLRPC_AUTH_Container:$(_index) AuthorizationRequired=1 XMLRPCD_PORT=127.0.0.1:593$(_index) [options] bin = xmlrpcd summary = Stellart XML RPC AUTH Server arguments = $(XMLRPCD_PORT)
Add the following strings into the /usr/local/bm/etc/ssm.conf.d/xrproxy_auth.conf file:
[options] bin = xrproxy.pl summary = Stellart XML RPC AUTH Proxy Server arguments = 5924 5930 5931 5932 5933 5934
To automatically start authentication on PBA-E start, edit the
[options]
section of the /usr/local/bm/etc/ssm.conf.d/global.conf file as follows:[options] startdep = amt muxd www xmlrpcd xrproxy xmlrpcd_auth xrproxy_auth
Start BA:
/etc/init.d/pba start
Allow access from outside network to the port 5924 at BA application server. This port will be used for incoming XML RPC requests with authorization.
- Optionally, consider to disable non-authorized access to BA XML RPC server by closing the port 5224 in firewall for outside network.
Note: BA 5.0.0-636 HOTFIX 007 must be installed.