NOTE
StrongLoop Arc and slc are no longer under active development, and will soon be deprecated. Arc's features are being included in the IBM API Connect Developer Toolkit: Please use it instead.
Skip to end of metadata
Go to start of metadata

Overview

In general, you should set up secure access to a remote instance of StrongLoop Process Manager so your production host remains secure.

The general process is:

  1. Set up key-based authentication for the remote server.
  2. Use http+ssh as the protocol instead of http in URL arguments to slc commands, for example:

Using HTTP authentication

Icon

To use HTTP authentication, you must set it up when you install the StrongLoop PM service. For more information, see Setting up a production host.

Once you've set up HTTP authentication for StrongLoop PM, you can set authentication credentials directly in the URL argument to the slc ctl command's -C option; for example: 

Using SSH tunneling

To connect using SSH and tunnel the HTTP requests over that connection, use the http+ssh protocol in the URL, for example:

The SSH username defaults to your current user.  Override the username default with the SSH_USER environment variable.

The SSH username defaults to your current user, authentication defaults to using your current SSH agent, and port defaults to 22.  To override the default: 

  • Username, set the SSH_USER environment variable.
  • Authentication, set the SSH_KEY environment variable to the path of the existing private key to use.
  • SSH port, set the SSH_PORT environment variable.

Requirements

REVIEW COMMENT from Rand
What does "If your local username isn’t the right one...." mean? What should it be?
You need set up key-based authentication for the remote server.  Also, you must use an SSH agent to make your keys available. Instead of setting up an agent, you can specify the path to the private key in the SSH_KEY environment variable.

If your local username isn’t the right one, use the SSH_USER environment variable to specify the username. 

For example:

Enhancing security 

To enhance security, Do all of the following:

  • Block direct access to port 8701 so that it can only be accessed from the server itself.
  • Use --http-auth when you install the StrongLoop PM service; For more information, see Setting up a production host.
  • Use --control http+ssh://user:pass@remotehost:8701/
    • Authenticates via SSH (username: $SSH_USER or $LOGNAME from environment, key from$SSH_AUTH_SOCK or $SSH_KEY from environment).
    • Authenticates via HTTP (user and pass from URL, matching username/password set during install).

Using the SSH tunnel allows us to connect to the PM's port via its localhost, which bypasses the firewall restriction that blocks direct access.


  • No labels