Securing the REST API

This topic covers important options for securing your HCL OneDB™ REST API.

Securing your REST API server with TLS (HTTPS)

You can enable Transport Layer Security (TLS) in the REST API server to encrypt all communications between the REST server and clients. By enabling TLS, the REST server will run as an HTTPS server.

Important: It is recommended that you enable TLS and HTTPS whenever deploying the REST API server in a production environment.

The REST server supports three types of keystores to hold your encryption keys: JKS, PKCS12, and PEM files.

Java KeyStore (JKS)
You can use the Java keytool utility that comes with your JDK installation to generate a Java KeyStore. Refer to your Java documentation for instructions for creating a keystore.

After you have created a keystore, include the following properties in your REST configuration file.

tls.enable: true
tls.keystore.type: jks
tls.keystore.file: mykeystore.jks
tls.keystore.password: mypassword
PKCS12

You can use a PKCS12 keystore to encrypt communications with your REST API server by setting the following properties in your REST configuration file.

tls.enable: true
tls.keystore.type: pkcs12
tls.keystore.file: mykeystore.pkcs12
tls.keystore.password: mypassword
PEM files
You can use OpenSSL to generate a .PEM certificate and key files. Refer to your OpenSSL documentation for instructions for generating a certificate and keys.

To use a .PEM certificate and key files, include the following properties in your REST configuration file.

tls.enable: true
tls.keystore.type: pem
tls.keystore.file: rest_key.pem
tls.pem.cert: rest_cert.pem

Securing the REST server's JDBC connections with SSL

You can encrypt the JDBC connections between the REST server and the HCL OneDB database server with the Secure Sockets Layer (SSL) protocol.

First, you must have SSL configured for the database server. See Configuring a server instance for secure sockets layer connections.

Then you will need to add three JDBC properties – SSLCONNECTION, TRUSTSTORE, and SSL_TRUSTSTORE_PASSWORD – to your OneDB server connection information in your REST configuration file.

onedb.servers:
  - 
    alias: server1
    host: host1.mycompany.com
    port: 9088
    properties: 
      SSLCONNECTION: true
      SSL_TRUSTSTORE: client_keystore.jks
      SSL_TRUSTSTORE_PASSWORD: myKeystorePass
Important: If you have more than one server in your onedb.servers list, you must add these SSL-related JDBC connection properties to each server in the list that you want to secure with SSL.

Enabling Anti Cross-Site Request Forgery tokens

The REST API server supports anti-CSRF tokens to secure it against Cross-Site Request Forgery (CSRF) attacks.

When these anti-CSRF tokens are enabled, an X-CSRF-TOKEN will be returned in the header of the first HTTP response for an authenticated session. Any subsequent HTTP POST, PUT, or DELETE request using the same session cookie must include the X-CSRF-TOKEN in the header of the HTTP request. If the X-CSRF-TOKEN is not included in the header or an invalid token is sent, the REST API will respond with a FORBIDDEN response.

Important: It is recommended that you enable these tokens in a production deployment of the REST API server. When enabled, REST clients must send the X-CSRF-TOKEN in the request header whenever they are using a session cookie to re-use an existing REST session.