OHDSI Home | Forums | Wiki | Github

OpenSSL and WebAPI set up

(Ambuj) #1

Hello Guys,
@Chris_Knoll @pavgra
I was successfully able to deploy OHDSI tools in non production environment without any security.

From last few days I am trying to host the OHDSI tools in a secure environment using OPENSSL but couldn’t get them worked.

I have created a keystore which is not signed by CA as I am doing it for non production use.
I tried port 8443, 443, 8080 and 80 in settings.xml and none of them worked.
I am attaching the screenshots for-

  1. Settings.xml
  2. server.xml from tomcat
  3. AchillesWeb page which is working as it is not using WebAPI at all
  4. Error for localhost/WebAPI/source/sources
  5. Error while loading Atlas

Can someone please help me out here and let me know if any changes are incorrect or I missed anything here.


@Ajit_Londhe please see if you can help me out here.
Does WepAPI supports openssl? as I do not want to use any of the available security options present under WebAPI security page.

Adding security in Atlas
(Chris Knoll) #2

Atlas has a security configuration as well. Lookin gat your screenshot, i don’t see a ‘sign in’ link at the top.

The default config.js file (in /js/config/app.js) has this value specified:

appConfig.userAuthenticationEnabled = false;

In order to enable security (if your WebAPI has security enabled) you need to override this setting in a file called /js/config-local.js which will have a value like:

config.userAuthenticationEnabled = true;

In addition, there are a number of default authProviders that are defined by default. if you only want a subset of those, you will override the authProviders array in config-local.js to only include those you want to use.

@anthonysena, I don’t think the security setup in WebAPI covers the configuration for Atlas, and I don’t know if that should be included in the WebAPI documentation, or if the Atlas side needs an update.

@ambuj, I believe your SSL is set up properly: when you got the HTTP 401 resposne by going to /WebAPI/source/sources, your address bar shows that the SSL certificate seems to be working (unlike the second screenshot of atlas where is showing Not Secure. Means your SSL is configured for WebAPI connection, but your HTTP Server is not.

The 401 response is proper considering I believe your atlas is not configured to authenticate and so all requests to WebAPI will be un-authenticated, and therefore you will get a 401. Likewise, when you try to access any WebAPI endpoint directly through the browser with security enabled, none of the authorization headers are set up so it will think you are unauthorized.

I haven’t done too much work with security enabled, but it’s possible that once you have Atlas configured for authentication, once you authenticate in Atlas, you can go to a new tab and invoke WebAPI endpoints because the site’s cookie should remain in your session and it should authenticate. However, this is a theory, I could be wrong, so let me know what you find.


Access rights features in Atlas
(Ambuj) #3

Thank you for the detailed information like always Chris, I wanted to enable SSL part as of now which I figured out by keeping the <security.provider> in settings.xml as it is i.e. DisabledSecurity and kept the SSL enabled.

In next phase when I will try to integrate it with AD/LDAP, I guess then only I need to make the required changes you mentioned in your post.

Thank you

  • Ambuj