We are currently running CSI 9.01.12 on premise. We are about to launch a REST server to the Internet (with authorized access of course) to have CSI queried by external sources.
First, the REST API I am referring to is not the one that is part of Infor OS. I am referring to the REST API that looks like this: http(s)://UTILITY_SERVER/IDORequestService/MGRestService.svc/BLAH_BLAH_BLAH_BLAH_LBAH
We currently have two Utility Servers: LAN and DMZ. The LAN Utility Server has all features installed. The DMZ server only has the IDO Runtime Service configured to forward requests to the LAN Utility Server. Both servers are configured only to accept HTTPS connections to avoid data leakage during transmission. Testing has gone extremely well and we are getting close to a launch. Before we do launch, I want to be sure I've secured the system as much as humanly possible.
To connect to the REST server, the user needs:
- An active CSI Service (my definition) account
- An Automation license
- Definitions in their Middleware form for permissions used to access the IDOs
Is there a way to block users that do not fit that description from connecting? End-user accounts do not get Middleware permissions, so I am not too concerned about them. I am more concerned about the "sa" account attempting to sign in as that account can do anything regardless of modules.
Are there any other account security options I need to be aware of aside from the Middleware/Automation requirements?
I am trying to stick with this REST service as it requires no Infor DLLs at all to interface with CSI. I will add any additional information as needed.
Thank you in advance!
