OHDSI Home | Forums | Wiki | Github

Adding security in Atlas


(Ambuj) #1

Hello,

As Atlas at my end is all up and running, and I checked the security configuration document too at http://www.ohdsi.org/web/wiki/doku.php?id=documentation:software:webapi:basic_security which says do not use this in production environment.

can someone please help me understand and let me know on how can we add security for Atlas once it will be deployed into production.
@Ajit_Londhe @Chris_Knoll
No response received so tagging you guys :slight_smile:

Thank You


(Ajit Londhe) #2

Sorry @ambuj, I don’t know much about security in Atlas. Along with Chris, tagging @anthonysena, @pavgra


(Chris Knoll) #3

Same here, someone with direct experience with setting it up should be able to help you.


(Pavel Grafkin) #4

Which security provider are you going to use? (e.g. Active Directory, LDAP, custom DB)


(Ambuj) #5

@pavgra
I will prefer to use Active Directory or LDAP.


(Ambuj) #6

@pavgra
Hello Pavel,

Is there any update on security part? or such things is yet to be developed?

Thanks


(Pavel Grafkin) #7

Both AD and LDAP are supported by Atlas. Example of configuring AD is below (passed as mvn parameters; could be set as environment vars):

-Dsecurity.ad.url=ldap://odysseusdomain.com:389
-Dsecurity.ad.searchBase=cn=Users,dc=odysseusinc,dc=domain
-Dsecurity.ad.principalSuffix=@odysseusinc.domain
-Dsecurity.ad.system.username=Administrator
-Dsecurity.ad.system.password=verySECRET

(Anthony Sena) #8

Hi @ambuj - we’ve done some work to update the WebAPI documentation and we’ve moved it to GitHub. The security guide is now found here:

In your original post, you noted: the basic security setup guide says do not use this in production environment. The reason for that is: the basic security setup guide walks through setting up a dedicated database for storing user identifiers and encrypted passwords for use with ATLAS. Storing both the user identifiers and passwords (even encrypted) together is a bad security practice. The updated security guide referenced above provides guidance for setting up both WebAPI and ATLAS to use enterprise grade authentication mechanisms such as Active Directory.


(Shweta) #9

This did not work for me. The username and password are actual AD admin username and passowrd.
If yes, Is it secure if its in clear text?
Do we have to add any settings in Atlas config-local.js or it will automatically recognize it?
Can you provide sample setting.xml and config-local.js for the AD settings?

Thanks.


(Ambuj) #10

I created an openssl certificate to add SSL/TLS for Atlas over tomcat server and added the connector port details in tomcat’s server.xml using port 443.
When I try to open https://localhost/WebAPI/source/sources, I get error 401.

I have added details of my settings.xml, server.xml, screenshot for WebAPI and Atlas in following post.

I haven’t received any response there , so posting it here.
Please help.

TIA


t