Separating the Console from Public Endpoints

Version 21.0.7928


Separating the Console from Public Endpoints

Version 21.0.7928


By default, ArcESB hosts the Administration Console (where administrators create and manage Flows) and the public Receiving endpoints on the same network port. To enhance security, it may be desirable to separate the console from the public endpoints such that they are hosted on different ports.

Once separated, external partners that connect to ArcESB’s public endpoints would not have access to the Administration Console even if they acquire the login credentials (the default configuration protects the console behind a username/login combination).

Overview

Separating the console from the public endpoints requires explicitly configuring a second web app that consists only of the resources required to host public Receiving endpoints. After this additional configuration, ArcESB will use two ports: one for the full (console) application, and one for the endpoint-only application.

The standard web configuration process described in the documentation should be used to configure the full application, and this page should be used to configure the endpoint-only application.

Restrictions

There are two requirements for separating the Arc’s console and public endpoints:

  • Hosting Arc’s public endpoints via an external server (IIS, Jetty, Tomcat, etc)
  • Configuring an enterprise application database (MySQL, SQL Server, PostgreSQL)

More details are provided below.

Windows Edition

Setting Up the Endpoint-Only Application

For Windows installations, IIS must be used to host the public receiving endpoints. The embedded web server can still be used to host the full (console) application that is not exposed to the public.

The Windows edition includes a www_services folder containing the web configuration data required to host an endpoint-only application. Directing IIS to this folder will result in Arc’s public endpoint being accessible through IIS, without exposing the Administration Console. Further configuration of ports, SSL, etc should be accomplished via IIS directly.

Note that this www_services folder is separate from the www folder, which is used to host the full (console) application.

Setting Up the Application Database

Separating the public endpoints from the console requires configuring an enterprise database application. More details on configuring the enterprise application database can be found here.

Java Edition

Setting Up the Endpoint-Only Application

For Java installations, an external Java servlet (Jetty, Tomcat, JBoss) must be used to host the public receiving endpoints. The embedded web server can still be used to host the full (console) application that is not exposed to the public.

The Java edition includes a services.war file that should be used when separating the endpoints from the console. Deploy this services.war file using an external Java servlet to create the endpoint-only web application. Further configuration of ports, SSL, etc for this endpoint-only application should be accomplished using the XML configuration files for the external Java servlet.

Setting Up the Application Database

Separating the public endpoints from the console requires configuring an enterprise database application. More details on configuring the enterprise application database can be found here.