CSP Gateway Configuration Guide - InterSystems Documentation
CSP Gateway Configuration Guide - InterSystems Documentation
CSP Gateway Configuration Guide - InterSystems Documentation
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Conventions Used in this Document<br />
1.8.1 <strong>Gateway</strong> components and physical installation paths<br />
Later sections in this guide describe how the <strong>Gateway</strong> components should be configured with all supported web servers.<br />
The installation paths for components should be regarded as examples rather than taken literally. Also, the <strong>InterSystems</strong><br />
installers will create and maintain separate <strong>Gateway</strong> installations for the internal (private) web server and any third-party<br />
web server that might be present on the same host. In this context ‘third-party web server’ refers to a web server that is not<br />
part of the software installed by <strong>InterSystems</strong>.<br />
The precise installation location of <strong>Gateway</strong> components is not particularly critical provided:<br />
• The physical installation paths match those given in the hosting web server configuration where appropriate.<br />
• The security settings, in relation to required access for individual components, are adjusted appropriately. This is particularly<br />
important for <strong>Gateway</strong> components that are accessed directly by the web server since web servers are usually<br />
locked down to the extent that the files they are able to access (and executables that can be run) are carefully controlled.<br />
It should be borne in mind that security considerations will also be important for any <strong>Gateway</strong> configuration (and log)<br />
files that are accessed by <strong>Gateway</strong> binaries that are themselves bound to the web server core executable.<br />
• The security policy of the hosting web server is respected. Some web servers – notably those shipped with Secure<br />
Linux (SELinux) and OpenVMS (HPSWS) – are configured such that it is not possible for them to access files that lie<br />
outside their own file system. This restriction will clearly have an impact on where certain web-server-facing <strong>Gateway</strong><br />
components can be installed.<br />
There are four types of <strong>Gateway</strong> component to consider.<br />
1. Binaries to be loaded by the web server (API based extensions).<br />
This includes Windows DLLs, UNIX Shared Objects and OpenVMS Shareable Images:<br />
<strong>CSP</strong>ms[Sys].dll<br />
<strong>CSP</strong>n3[Sys].(dll|so|exe)<br />
<strong>CSP</strong>a*[Sys].(dll|so)<br />
mod_csp*.(so|exe)<br />
The physical location where these are installed should match the corresponding configuration directives in the hosting<br />
web server configuration. This includes directives indicating which third-party modules should be loaded. The web<br />
server requires permission to read and load these modules. Modules named <strong>CSP</strong>* require permission to read and write<br />
to the <strong>Gateway</strong> configuration and log files (<strong>CSP</strong>.ini, <strong>CSP</strong>.log). These are usually created in the same location as the<br />
<strong>Gateway</strong> binaries.<br />
When considering access control for these modules, bear in mind that it is the web server worker processes that need<br />
to be able to access the modules together with any dependent configuration and log files. For example, in the case of<br />
Apache, the server is usually started with superuser permissions but the worker processes that actually serve web<br />
requests run with a much lower level of authority (as indicated by the User and Group directives in the Apache configuration<br />
file). It is the User and Group specified for the worker processes that should be granted permission to load the<br />
<strong>Gateway</strong> modules and (where appropriate) the ability to read and write to the configuration and log files (<strong>CSP</strong>.ini and<br />
<strong>CSP</strong>.log).<br />
2. Executables to be called by the web server (CGI modules).<br />
[nph-]<strong>CSP</strong>cgi[Sys][.exe]<br />
The physical location where these are installed should match the corresponding configuration directives in the hosting<br />
web server configuration. This will include directives indicating which web requests should be processed by these CGI<br />
modules.<br />
The worker processes of the hosting web server require execute permission for these modules. There are no further<br />
dependencies.<br />
<strong>CSP</strong> <strong>Gateway</strong> <strong>Configuration</strong> <strong>Guide</strong> 7