System security |
As the portal administrator, you can determine to take the following measures to secure your portal system.
Conventional measures to protect the software and hardware security of the system include physical security, software upgrades, virus protection, and regular backups. As the portal administrator, you can take conventional system protection measures for servers to protect them from physical attacks and malicious network damage.
A firewall is a combination of software and hardware devices. It builds a protective barrier between the internal and the external network, or between the private and the public network, which can protect the internal network from the intrusion of illegal external users. It achieves the isolation of the internal and external networks by limiting the ports used by its external network to communicate with the internal network. At the same time, these communication ports can be monitored through the firewall to block malicious access, thereby preventing external attacks.
Using firewall technology to separate the internal and external networks can better protect the GIS service system from malicious attacks from external networks. For the setting method of the firewall, please refer to the Firewall Protection.
Note: iPortal uses some HTTP ports by default. When starting the service, please make sure that these ports are not occupied, and can pass through the firewall.
HTTPS is a combination of Hypertext Transfer Protocol and SSL/TLS to provide encrypted communications and network server identity identification. Compared with HTTP, HTTPS is more secure. HTTP transfers information in plain text, so it is easy to leak. While HTTPS encrypts all the transferred information, including headers and loads.
In iPortal, to enable the proxy service with HTTPS protocol, you need to configure the proxy service installation package. There are two implementations of the SSL in Tomcat, which is the default web container of the proxy service installation package. For details, please refer to the Using HTTPS to encrypt communication.
iPortal trusts the SSL certificates of all HTTPS servers by default, both authoritatively certified and non-authoritatively certified certificates. To implement a higher level of protection, you can remove the global trust for the HTTPS certificate by changing the iPortal configuration file, to make your portal only communicate with those HTTPS servers who are using authority-certified SSL certificates.
As the portal administrator, open the iportal.xml file in the %SuperMap iPortal_HOME%/webapps/iportal/WEB-INF directory, find the <trustAllHttpsCertificates< sub-node under the <httpsConfig< node, and modify the HTTPS certificate trust configuration as follows. For details, see the iPortal configuration file description.
Example:
...
<IportalConfig>
...
<httpsConfig>
<trustAllHttpsCertificates>true</trustAllHttpsCertificates>
</httpsConfig>
</IportalConfig>
In actual business applications, the services used by the application system may come from multiple SuperMap iServer and servers of other GIS platform vendors. To perform unified authority control on these multi-source services for unified use, management, and maintenance, SuperMap iPortal provides the service proxy function. Besides, iPortal also supports reverse proxy. You can use service proxy with Nginx reverse proxy to further protect the security of the portal system. For details, see the proxy configuration.