Nexeed
    • Introduction
      • Features
    • Release notes
    • User manual
      • Dashboards
      • Widgets
      • Support
      • User help
      • Messages
      • Display on the screen
      • Search function
      • Integration status
      • Web Portal configuration
      • User profile
    • Operations manual
      • Overview
      • System architecture and interfaces
      • System requirements
        • portal/coreservice
      • Migration from previous versions
        • From 5.22 to 5.23
        • IAS 2025.01.00 (Portal 5.20)
        • From 5.15 to 5.16
        • From 5.14 to 5.15
        • From 5.13 to 5.14
        • From 5.12 to 5.13
        • From 5.11 to 5.12
        • From 5.10 to 5.11
        • From 5.9 to 5.10
        • From 5.8 to 5.9
        • From 5.7 to 5.8
        • From 5.6 to 5.7
        • From 5.5 to 5.6
        • From 5.3 to 5.4
        • From 5.1 to 5.2
        • Resource mapping from MES to IAS
      • Setup and configuration
        • Permission and roles
        • Support section
        • Training & documentation section
        • Legal information and footer section
        • Cookies
        • Secure configuration
        • Configuration of sections in menu
        • API documentation - footer configuration
        • Environment variables
      • Start and shutdown
        • Startup dependencies
        • Background tasks
        • Health and availability APIs
      • Regular operations
        • Removing / deregister / unregister a module
        • User data
      • Failure handling
      • Backup and Restore
      • Logging and monitoring
      • Known limitations
    • Developer documentation
      • Concepts
        • General
        • Navigation
        • Dashboard
        • Cross-module communication
        • Documents
        • Security
        • Limitations
      • How to…​
        • register your module & views
        • implement context contribution
        • develop a Web Portal-compatible frontend
        • use the iframe integration library
        • build widgets
        • check the integration status
        • develop from localhost
        • improve UI performance
      • Troubleshooting
    • API documentation
    • Glossary
Web Portal
  • Industrial Application System
  • Core Services
    • Block Management
    • Deviation Processor
    • ID Builder
    • Multitenant Access Control
    • Notification Service
    • Ticket Management
    • Web Portal
  • Shopfloor Management
    • Andon Live
    • Global Production Overview
    • KPI Reporting
    • Operational Routines
    • Shift Book
    • Shopfloor Management Administration
  • Product & Quality
    • Product Setup Management
    • Part Traceability
    • Process Quality
    • Setup Specs
  • Execution
    • Line Control
    • Material Management
    • Order Management
    • Packaging Control
    • Rework Control
  • Intralogistics
    • AGV Control Center
    • Stock Management
    • Transport Management
  • Machine & Equipment
    • Condition Monitoring
    • Device Portal
    • Maintenance Management
    • Tool Management
  • Enterprise & Shopfloor Integration
    • Archiving Bridge
    • Data Publisher
    • Direct Data Link
    • Engineering UI
    • ERP Connectivity
    • Gateway
    • Information Router
    • Master Data Management
    • Orchestrator

Nexeed Learning Portal
  • Web Portal
  • Operations manual
  • Setup and configuration
  • Secure configuration
preview 5.24

Secure configuration

In order to operate Web Portal securely, all involved software and infrastructure components (f.e. databases, operating system, container runtime, …​) have to be configured securely and always be provided with the latest security patches.

Access to cloud infrastructure, user administration is managed by Operations and Support.

Bosch Connected Industries recommends applying Security Benchmarks of the Center for Internet Security (https://www.cisecurity.org/) or comparable standards for secure configuration.

Embedding Web Portal in frames

Web Portal sends the Content-Security-Policy csp header frame-ancestors 'self' to prevent clickjacking attack scenarios. This prevents Web Portal from being embedded in an iframe of another HyperText Markup Language html application. Refer to Mozilla Developer Network mdn for further information.

To allow specific domains, the header can be extended by frame-ancestors.

TLS

The directory /etc/ssl/server should contain the server certificate for serving TLS. It is defined as a volume in order to be able to install the installation-specific certificates

Note, that the private key of the certificate should have permissions 600 and the password needs to be removed from the key file otherwise it will be requested at startup time. Alternatively you can specify the directive proxy_ssl_password_file with the secret key password. A default TLS password store is already installed in /etc/ssl/server_keys.pass and /etc/ssl/proxy_keys.pass respectively. Set the environment variable SERVER_KEY_PASS at run-time to install a key password suitable to a volume-mounted certificate key.

The hardening includes:

  • limiting the allowed TLS versions to 1.1, 1.2 and 1.3 but nothing older

  • limiting the allowed cipher suites to a set of secure algorithms

  • certificate validation turned on

  • some security headers are enforced

  • OSCP stapling is enabled. Note that when using self-signed certificates this will be skipped as these certificates do not contain OCSP or CRL information. When using a certificate bought from Bosch trust center or a customer brings their own certificate, this will be delivered and used.

  • By default the server does answer all other URL and requests with a status code 404

  • HTTP is redirected to HTTPS for incoming requests

  • detailed logging using structural logging for errors, access and special TLS log

  • Two password files are provided for the server key and the proxy keys in /etc/ssl/ where key passwords could be added by applications via Dockerfile environment

Volumes

Volume Content

/etc/ssl/server/

Server and application keys and certificates

/etc/ssl/trusted/

Trusted certificates

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2025, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses