Skip to content

Secure Deployment Recommended Configurations

The default KX Delta Platform deployment is designed to be unrestricted. To enable secure deployments, the following configurations are recommended in the Install Config.

Delta Control secure parser

DELTACONTROL_SECURE_PARSER=YES

Delta Control includes a secure parser that, when enabled, ensures all queries are tightly permissioned at the function level. This ensures the calling user is allowed access to that function and data.

The functionality is disabled by default but can be enabled through an environment variable in delta.profile by setting DELTACONTROL_SECURE_PARSER=YES.

The secure parser handles the parsing and enforcement of incoming requests. It inspects the request format and checks whether the calling user is entitled to run it.

With the secure parser enabled, users are restricted to calling named APIs only. The logic then checks what APIs the user is entitled to call and executes or rejects depending on the permissions. If not enabled, a legacy query parser is used. However this isn’t the recommended mode as the performance and security are not optimal.

Administrators are entitled to call all APIs but also are not restricted to API-only. They can execute strings and lambdas.

Delta Control TLS encryption

tls-encryption-enabled=1
tls-encryption-mixed-mode=0
ssl-server-cert-file=<certs path>/server-cert.pem
ssl-server-key-file=<certs path>/server-private-key.pem
ssl-ca-cert-file=<certs path>/ca-cert.pem
ssl-client-cert-file=<certs path>/client-cert.pem

Enabling TLS in Delta Control ensures all communication to and from the Leader process is TLS enabled. This causes all kdb processes started by Control to open handles to the Control leader using TLS. You can allow non-TLS communication to Control by setting mixed mode to 1.

Note

This does force interprocess communication outside of Control to be TLS encrypted. TLS communication involves an overhead in messaging, which is undesirable when fast updates are the goal. You can configure interprocess TLS through instance config post deploy.

These settings also ensure communication from Daemon and Appserver is secured. During installation the certificates provided above are compiled into $DELTA_HOME/delta-bin/config/tls-certs/keystore.jks for use by Java processes to open TLS connections to Control.

Tomcat https

app-server-install-type=2
tomcat-keystore-file=<certs path>/keystore
tomcat-keystore-password=changeit
tomcat-keystore-alias=tomcat
tomcat-ssl-ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

This enables HTTPS ports for the Tomcat web UI. The java application requires the certificates in a Java keystore file prior to installation. This keystore file is appended to $DELTA_HOME/delta-bin/config/tls-certs/keystore.jks with the alias tomcat.

You can restrict which ciphers are allowed using tomcat-ssl-ciphers.

Access restrictions

DELTACONTROL_REQUIRE_URL_VALIDATION=YES

By default, new users have access to any of the UI components, including Control, Analyst, and Dashboards. DELTACONTROL_REQUIRE_URL_VALIDATION set to YES prevents new users from accessing any URL unless explicitly permissioned by User Groups post deploy. Administrator users still retain full access to all URLs.

DELTACONTROL_HTTP_MODE=DISABLED

By default, users can perform POST and GET requests with Platform kdb processes through HTTP. These requests are listed, which means only authorized requests are executed. To prevent users from making HTTPS requests, you should disable this feature entirely.

Analyst Restrictions

Analyst is an IDE environment for connecting to kdb processes. Users can create their own sandbox environment, which can have unprotected access to system commands. To disable this you need to create an Entity Group CxSandbox. Only users with permissions in this Entity Group are allowed to launch Analyst Sandbox environments.

AXFS_ALLOW_LIST=<install path>
AXFS_DENY_LIST=<install path>/delta-bin/config

Analyst has a built-in file browser that can access the file system. To restrict access to Analyst users, you need to set AXFS_ALLOW_LIST and AXFS_DENY_LIST. These are comma-separated lists of full paths. By setting AXFS_ALLOW_LIST to your install directory you ensure users cannot browse files outside of your install. By setting AXFS_DENY_LIST to the config directory you ensure users cannot view your licenses or tls serts.