Security Instructions

Security Instructions

This document describes the security features available in CIB ins7ght.

Application Security

User Authentication

Optional UI authentication: In application.yaml, ins7ght.authentication.enabled can be set to true so requests are handled by the embedded CIB seven web stack. When disabled (default), users are not challenged by ins7ght itself.

Enterprise license: Analytics, process, and incident REST endpoints require a valid license file and otherwise respond with HTTP 403. Endpoints such as GET /info and GET /poll-info are not gated by that license check.

External protection: For deployments that must not expose the UI or API broadly, still enforce network boundaries, firewalls, VPNs, or authenticated reverse proxies regardless of the flags above.

CIB seven Connection Authentication

CIB ins7ght authenticates with CIB seven to poll process data. Three authentication methods are available:

Option 1: Basic Authentication

polling:
  engineRestUrl: http://localhost:8080/engine-rest
  auth:
    type: basic
    basic:
      username: ${ENGINE_USERNAME}
      password: ${ENGINE_PASSWORD}

Option 2: WebClient Authentication

polling:
  auth:
    type: webclient
    webclient:
      url: http://localhost:8080/CIB seven-webclient/rest/login
      username: ${WEBCLIENT_USERNAME}
      password: ${WEBCLIENT_PASSWORD}

Option 3: Single Sign-On (SSO)

polling:
  auth:
    type: sso
    sso:
      url: http://localhost:8088/auth/realms/cib/protocol/openid-connect/token
      client-id: ${SSO_CLIENT_ID}
      client-secret: ${SSO_CLIENT_SECRET}
      useWebclient: true
      webclientUrl: http://localhost:8080/CIB seven-webclient/rest/login

Database Security

Credentials

Use environment variables for database credentials:

export DB_USERNAME=your_username
export DB_PASSWORD=your_password
export ENGINE_USERNAME=camunda_user
export ENGINE_PASSWORD=camunda_password
export SSO_CLIENT_SECRET=sso_secret

PostgreSQL Configuration

spring:
  datasource:
    url: jdbc:postgresql://db-host:5432/cibseven-optimize
    username: ${DB_USERNAME}
    password: ${DB_PASSWORD}
    driver-class-name: org.postgresql.Driver

Optional SSL:

spring:
  datasource:
    url: jdbc:postgresql://db-host:5432/cibseven-optimize?ssl=true&sslmode=require

H2 Configuration

spring:
  datasource:
    url: jdbc:h2:file:/ins7ght-h2-dbs/cib_ins7ght_db
    username: sa
    password: ${H2_PASSWORD}
    driver-class-name: org.h2.Driver

Logging

Configure logging in application.yaml:

logging:
  level:
    root: INFO
    de.cib.cibflow.ins7ght: DEBUG
    org.springframework.web: INFO
  file:
    name: /var/log/CIB ins7ght/application.log
    max-size: 100MB
    max-history: 30

Monitor:

  • Polling errors (CIB seven connection failures)
  • Database connection issues
  • Authentication failures (for CIB seven connection)
  • Data import errors

Health Check

Check application status:

curl http://localhost:8899/info

On this Page: