Bluemix is a Cloud Foundry compatible platform-as-a-service. For small applications the server should be able to run in a free or low-cost tier, which however does not include supported MongoDB service. There is a paid Mongo service available within Bluemix or you can use an external service. The mlab sandbox is an example of a free, non-production service.
If using an external Mongo service that does not provide fully encrypted connections for all data transmission you should be sure to use the ScriptRemote end-to-end encryption feature whenever the data is sensitive.
Bluemix apps automatically provide TLS using an IBM certificate so there is no requirement to have your own domain name and certificate for the ScriptRemote server.
The app will be pushed to Bluemix from a local repository using the Cloud Foundry command line utility cf. Install cf on your system from:
Cloud Foundry CLIThen login to Bluemix:
>$ cf login
>$ cd ~ (or your preferred install location) >$ npm install scriptremote --production >$ mv node_modules/scriptremote .
First set up an email forwarding account. This will be used to
send security-related messages and user notifications.
Rather than using an existing account, you may want to create one
just for this purpose.
Then copy the sample credentials file and substitue your values
for the MAILER dummy values:
>$ cd scriptremote >$ cp credentials.env .env >$ chmod 600 .env >$ vim .env
Some services are stricter than others about relaying mail. To help ensure that mail can be sent choose the same provider as expected for registered user emails, and set MAILER_FROM to the same address as MAILER_EMAIL_ID. If users will have a variety of email providers then consider using a service like mailgun. Any mailing errors will be logged to the console. If there is a problem it will probably first show up when registering the admin user below.
Second, generate a random string for the session middleware. For example:
>$ openssl rand -base64 32Substitute the result for the
SESSION_SECRET value in .env
Third, specify the url and credentials for your Mongo service by
substituting a value for MONGO_URL in .env.
The manifest.yaml file contains parameters for the push, such as the app name and memory allocation.
>$ cf pushBluemix will print the url assigned to the app at the end of the push process.
If the app is pushed again with the same manifest it will replace
the earlier instance, but the mongo database contents will carry
over to the new instance. The Mongo CLI provides a way to connect
to a database and make changes manually, if necessary.
Check that the server can be reached in your browser at the url obtained above. The protocol should be https.
Select Login/Register on the home screen and then Register Here on the login screen. The registration screen should display a message that the admin account is being registered.
Continue the registration by entering at least an email and password, and by selecting one of the options for registration of other users. The default is to allow other users to register themselves. You can also select a timeout for idle sessions.
A confirmation email should be sent to the registered address. Complete the registration by clicking the link in the email or by submitting the token value from the email into the form displayed when attempting to login.
Return to the home page and login using the admin account.
Get script credentials by selecting Settings in menu bar and then selecting Generate in the API Credentials section. The User Id and Token values will be needed to authenticate messages to the server from scripts running in the private network.
Copy the API credentials obtained above to a machine in the private
network. Get the bash utility script scriptremote/public/dist/srio.sh
from the local scriptremote installation.
Set SRSERVER to the url of your Bluemix server,
by editing the script or as an environment variable. If the script will run behind a
web proxy it may
also be necessary to set the HTTPS_PROXY environment variable.
>$ export SRSERVER=https://<your-url>Create a simple test:
>$ cat > test.sh
#!/bin/bash
. ./srio.sh
SR_start ${SRUSER} ${SRTOKEN} 'myproject' 'myjob'
SR_set 'msg1' 'Hello World' 'false'
SR_send 'mylocation'
SR_end
Export the API credentials to the test script and run it:
>$ export SRUSER=<your-userid> >$ export SRTOKEN=<your-token> >$ bash test.shCheck that the test message can be viewed in the browser by selecting Projects in the menu bar.
If the script fails with a certificate verification error it may mean that there is no CA cert store available in the test machine OS. In that case you would need to install a root certificate.
Since the admin has elevated priviledges to do things like viewing user details and registering new users, it is best for security purposes to minimize use of that account. Instead register as a normal user for actual projects. This will require a different email address from the one used for admin registration.
Bluemix logs server responses by default.
The logs can be viewed in the Bluemix dashboard or
using the cf logs command.
It is recommended to monitor them
for signs of instrusion, such as an unknown source ip
successfully accessing an endpoint other than the
root or documentation.
You may want to enable limits on the amount of message data that can be sent to the server, for example to help protect against scripting errors that could produce very large or very many messages. The available limits are defined in
config/env/all.jsAny of them may be set as environment variables prior to starting the server. An easy way to do this with Bluemix is to add them to the .env file.