SOT
    • Introduction
    • Release notes
      • Breaking changes
    • User manual
      • Introduction
      • Navigating Industrial Application System
        • Navigation menu
        • Header
        • Managing favorite menu entries
      • Dashboards
        • Creating a dashboard space
        • Sharing a dashboard space
        • Creating a dashboard
        • Editing a dashboard
        • Applying dashboard filters and templates
        • Marking dashboards as favorites
        • Adding Web Portal widgets
      • User profile
      • Support
      • User help
      • Screen display modes
      • System information
      • System Settings
        • Footer and Privacy
        • Skinning
        • Navigation Menu
    • Operations manual
      • Overview
      • System architecture and interfaces
      • System requirements
        • portal/coreservice
      • Migration from previous versions
        • From 5.24 to 5.25
        • From 5.23 to 5.24
        • From 5.22 to 5.23
        • IAS 2025.01.00 (Portal 5.20)
        • From 5.15 to 5.16
        • Helm job for database migration (>5.15)
        • From 5.14 to 5.15
        • From 5.13 to 5.14
        • From 5.12 to 5.13
        • From 5.11 to 5.12
        • From 5.10 to 5.11
        • From 5.9 to 5.10
        • From 5.8 to 5.9
        • From 5.7 to 5.8
        • From 5.6 to 5.7
        • From 5.5 to 5.6
        • From 5.3 to 5.4
        • From 5.1 to 5.2
        • Resource mapping from MES to IAS
      • Setup and configuration
        • Permission and roles
        • Support section
        • Training & documentation section
        • Legal information and footer section
        • Cookies
        • Secure configuration
        • Configuration of sections in menu
        • API documentation - footer configuration
        • Environment variables
          • Global variables
          • portal/coreservice
          • portal/systemtests
          • Application variables exposed in Helm chart
      • Start and shutdown
        • Startup dependencies
        • Background tasks
        • Health and availability APIs
      • Regular operations
        • Removing / deregister / unregister a module
        • User data deletion
      • 09_failure_handling/index.adoc
      • Backup and Restore
      • Logging and monitoring
      • Known limitations
    • Developer documentation
      • Concepts
        • General
        • Navigation
        • Dashboard
        • Cross-module communication
        • Documents
        • Security
        • Limitations
      • How to…​
        • register your module & views
        • implement context contribution
        • develop a Web Portal-compatible frontend
        • use the iframe integration library
        • build widgets
        • check the integration status
        • improve UI performance
      • Troubleshooting
    • API documentation
    • Glossary
Web Portal
  • Smart Operations Toolkit
    • Deviation Processor
    • Multitenant Access Control
    • Notification Service
    • Ticket Management
    • Web Portal
  • Shopfloor Management
    • Andon Live
    • KPI Reporting
    • Operational Routines
    • Shift Book
    • Shopfloor Management Administration
  • Product & Quality
    • Process Quality
    • AI Services
  • Machine & Equipment
    • Condition Monitoring
    • Device Portal
  • Enterprise & Shopfloor Integration
    • Information Router
    • Master Data Management

SOT Learning Portal

  • Web Portal
  • Operations manual
  • Setup and configuration
  • Secure configuration

Secure configuration

In order to operate Web Portal securely, all involved software and infrastructure components (f.e. databases, operating system, container runtime, …​) have to be configured securely and always be provided with the latest security patches.

Access to cloud infrastructure, user administration is managed by Operations and Support.

Bosch Connected Industries recommends applying Security Benchmarks of the Center for Internet Security (https://www.cisecurity.org/) or comparable standards for secure configuration.

Embedding Web Portal in frames

Web Portal sends the Content-Security-Policy csp header frame-ancestors 'self' to prevent clickjacking attack scenarios. This prevents Web Portal from being embedded in an iframe of another HyperText Markup Language html application. Refer to Mozilla Developer Network mdn for further information.

To allow specific domains, the header can be extended by frame-ancestors.

TLS

The directory /etc/ssl/server should contain the server certificate for serving TLS. It is defined as a volume in order to be able to install the installation-specific certificates

Note, that the private key of the certificate should have permissions 600 and the password needs to be removed from the key file otherwise it will be requested at startup time. Alternatively you can specify the directive proxy_ssl_password_file with the secret key password. A default TLS password store is already installed in /etc/ssl/server_keys.pass and /etc/ssl/proxy_keys.pass respectively. Set the environment variable SERVER_KEY_PASS at run-time to install a key password suitable to a volume-mounted certificate key.

The hardening includes:

  • limiting the allowed TLS versions to 1.1, 1.2 and 1.3 but nothing older

  • limiting the allowed cipher suites to a set of secure algorithms

  • certificate validation turned on

  • some security headers are enforced

  • OSCP stapling is enabled. Note that when using self-signed certificates this will be skipped as these certificates do not contain OCSP or CRL information. When using a certificate bought from Bosch trust center or a customer brings their own certificate, this will be delivered and used.

  • By default the server does answer all other URL and requests with a status code 404

  • HTTP is redirected to HTTPS for incoming requests

  • detailed logging using structural logging for errors, access and special TLS log

  • Two password files are provided for the server key and the proxy keys in /etc/ssl/ where key passwords could be added by applications via Dockerfile environment

Volumes

Volume Content

/etc/ssl/server/

Server and application keys and certificates

/etc/ssl/trusted/

Trusted certificates

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2026, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses