October 24, 2014
Posted by on
We are using NServiceBus and the awesome new suite of monitoring tools, and go-live is just around the corner. We are hosting our audit and error queues on a dedicated audit server, as recommended, along with ServiceControl and ServicePulse. How do we configure authorization for the ServicePulse website to allow a select group of IT Ops users to access the site without opening up access to the whole company?
By default, ServicePulse runs as a self hosted web server with no option to add authentication or authorization:
Hosting ServicePulse in IIS
However, ServicePulse also has a feature for extracting website files to a folder, like this:
C:\Program Files (x86)\Particular Software\ServicePulse>ServicePulse.Host.exe --extract --serviceControlUrl="http://localhost:33333/api" --outPath="C:\temp\SpWeb"
This enables you to create your own IIS website with a few clicks:
And now you have an IIS-hosted ServicePulse website to which you can add Windows auth or another authentication and authorization mechanism:
So What About ServiceInsight?
Unfortunately, Particular Software does not yet provide a means for enabling user-level authorization on the ServiceControl REST API, so the options for accessing ServiceInsight are:
- Leave the SC REST API as only accessible on the server (default behavior), which requires users to remote into the server to use ServiceInsight
- Set a custom host name for the SC REST API and expose it to everyone on the network
Neither of these options feel very satisfying to me. Please add any thoughts and suggestions here: https://github.com/Particular/ServiceControl/issues/400
If you are setting up a new NServiceBus installation or are upgrading to the Particular Platform from an older version of NServiceBus, I hope this post helps you secure your ServicePulse dashboard.