EAI Guy.net

Enterprise Applicaiton Integration and SOA 2.0

Monthly Archives: October 2014

Securing ServicePulse

We are using NServiceBus and the awesome new suite of monitoring tools, and go-live is just around the corner. We are hosting our audit and error queues on a dedicated audit server, as recommended, along with ServiceControl and ServicePulse. How do we configure authorization for the ServicePulse website to allow a select group of IT Ops users to access the site without opening up access to the whole company?

Self-Hosted Default

By default, ServicePulse runs as a self hosted web server with no option to add authentication or authorization:

ServicePulseHosted

Hosting ServicePulse in IIS

However, ServicePulse also has a feature for extracting website files to a folder, like this:

C:\Program Files (x86)\Particular Software\ServicePulse>ServicePulse.Host.exe --extract --serviceControlUrl="http://localhost:33333/api" --outPath="C:\temp\SpWeb"

This enables you to create your own IIS website with a few clicks:

IIS-CreateWebsite

And now you have an IIS-hosted ServicePulse website to which you can add Windows auth or another authentication and authorization mechanism:

ServicePulseHostedByIIS

So What About ServiceInsight?

Unfortunately, Particular Software does not yet provide a means for enabling user-level authorization on the ServiceControl REST API, so the options for accessing ServiceInsight are:

  1. Leave the SC REST API as only accessible on the server (default behavior), which requires users to remote into the server to use ServiceInsight
  2. Set a custom host name for the SC REST API and expose it to everyone on the network

Neither of these options feel very satisfying to me. Please add any thoughts  and suggestions here: https://github.com/Particular/ServiceControl/issues/400

Summary

If you are setting up a new NServiceBus installation or are upgrading to the Particular Platform from an older version of NServiceBus, I hope this post helps you secure your ServicePulse dashboard.