PreEmptive Analytics Data Hub User Guide

Security Considerations

In addition to the default installation instructions, you may wish to configure additional security measures, namely using secure data transmission (HTTPS) and configuring non-default users for RabbitMQ.

Secure Data Transmission

After install, the Endpoint Web Service is active and ready to accept any incoming messages at the Endpoint URL displayed by the installer. However, the incoming data is not encrypted, i.e. with SSL. This section explains how to enable SSL for the endpoint.

Configuring Upstream Clients

To use SSL for incoming messages, upstream clients (typically instrumented applications) must be configured to initiate requests via HTTPS. See the appropriate documentation included with your PreEmptive Analytics product(s) to configure instrumented applications appropriately.

Enabling SSL at the Endpoint

You must obtain and install a valid SSL certificate. Instructions for doing so are typically provided by the issuing certification authority or your internal Operations department. For example, here are instructions (for IIS 8) for generating a certificate signing request and installing an SSL certificate.

Once the certificate is installed, the Endpoint Web Service must also be configured to support SSL, as follows:

  1. Open the IIS Manager (inetmgr.exe).
  2. Under the server node, select the configured website.
  3. Click Bindings... from the Actions pane.
  4. Click Add....
  5. Choose https in the Type drop-down.
  6. Choose the Port (443 is the default).
  7. Choose the imported certificate in the SSL certificate drop-down.
  8. Click OK.
  9. If you wish to only support SSL connections, and disallow unencrypted ones, select the existing http binding, then click Remove and confirm the removal.
  10. Click Close, then close the IIS Manager.
  11. Ensure your firewall configuration allows access as appropriate.

These changes take effect immediately, no restart is required.

Dispatching via SSL

Using SSL for outbound data depends on the destination's support for it, and is a simple matter of configuration. This can be used independently of SSL configuration with the Endpoint. Please see these examples for how to configure this in the Dispatch.config file.

Disabling Vulnerable SSL Ciphers

We recommend disabling vulnerable SSL ciphers to prevent exploits, including man-in-the-middle attacks. This can be done by running the latest version of this PowerShell script.

RabbitMQ User Security

In the default configuration, RabbitMQ is set up with one admin account with default credentials, which the application uses to interact with the queues. Even though the installation, by default, limits RabbitMQ access to the local host (127.0.0.1), because these default credentials are well-known, you may wish to replace this default user with other users with unique passwords.

To do so:

  1. Using the default credentials of guest with a password of guest, add an admin user.
  2. Using the admin user you just created, add an application user.
  3. Stop the Endpoint Web Service and the Dispatch Service.
  4. For both the Endpoint Web Service and Dispatch Service, modify the Data Hub Parameters RabbitServerUsername and RabbitServerPassword to match the credentials of the application user.
  5. Start the Endpoint Web Service and the Dispatch Service.
  6. Verify the Data Hub is operating correctly under this new user, and check the Windows Event Log for any errors or warnings.
  7. Using the admin user, remove the guest user.


Data Hub Version 1.5.0. Copyright © 2015 PreEmptive Solutions, LLC