PCI Compliance requirement to separate data from web scripting engine

4D Server v17R6
Windows Server 2012 R2 Std
Active4D v7.08

I was told today that a 4D solution we have deployed is not PCI compliant because the web scripting engine and the data reside on the same OS.

I’m reading the PCI documentation to verify this requirement is true.

If you have already encountered this and have a good answer, please respond.

Thanks!

I found this statement in the PCI requirements:

“2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.”

4D’s web server exists on the same machine as the database server.

Our configuration has nginx in front of 4D’s web server doing SSL termination, and preventing many invalid requests from coming into 4D Server.

I may be able to demonstrate that the combination of nginx and 4D’s web server functionality, prevent access to resources outside the default web folder, which in this case only has static content.

Please chime in if you are familiar with this requirement.

It’s pretty easy to move the 4D web server to a dedicated 4D Client instance (real or virtual).

I was using the web server on 4D client however with version 18 we can no longer use the client local folder.

This means client has to run under a user’s profile.

https://forums.4d.com/Post/EN/30742975/1/30761022#30761022

I’m not sure how this works if you want to run the client as a Windows service.

At the moment I’m holding off on version 17R4 as this is the last one that supports the local folder.

Paul

This means client has to run under a user’s profile.
yes. You should run both Server and Client under a user’s profile.
See documentation: https://doc.4d.com/4Dv18/4D/18/Registering-a-Database-as-a-Service.300-4672427.en.html

This is not new in v18, we recommend that since Microsoft Windows Server 2008, this is related to the Operating system, not to 4D.

I am aware of running the server as a service that is straight forward. Its the 4D client webserver as a service where its unclear.
Paul

David,

How are you serving the main website ? The way I have things set up probably complies.

  1. Nginx virtual machine to proxy requests
  2. Plesk virtual machine using apache which serves the static website in our case joomla.
  3. Windows Vm for 4D serves the database web pages for specific 4d stuff and 4d client server.
  4. Nginx also serves the static content for 4D eg css etc.

I have all of this running on Windows using hyper V. So you need three virtual machines which probably meets the PCI requirement.

Paul

Jeffrey,

This suggestion is most likely the solution.

Thanks

Paul,

This instance uses nginx for reverse proxy and ssl termination, and also serving static content.

I believe we’ll have to run 4D Remote as web server to comply with the separation requirement in PCI.

Thanks

Thomas,

This post helps me with some other v17R6 issues.

Thanks