Security Developer Guide
SS-Console is an OSGI based application, developed using Apache-Felix framework and deployed into Apache-Karaf runtime. SSL/TLS and PGP encryption is used to secure HTTP tunnels and data exchange.
Components and Version details:
| No | Component | Version | Details |
|---|---|---|---|
| 1 | Felix | 4.2.1 | OSGI Framework |
| 2 | Karaf | 3.0.5 | OSGI Runtime |
| 3 | Jetty | 8.1.x | Web-Server |
| 4 | Derby | 10.12.1.1 | Database |
| 5 | OpenJPA | 2.3.0 | JPA 2.0 |
| 6 | BouncyCastle | 1.52 | Cryptography Library |
(More details in General Security Architecture).
| No | OSGI Module | Description |
|---|---|---|
| 1 | identity-manager | Manages authentication and authorization, sessions and RBAC. Main Module that controls overall system identity and access permissions. |
| 2 | channel-manager | Controls HTTP/HTTS tunnels. Intercepts all incoming and outgoing requests, applies encryption, authorizes Web Tokens. |
| 3 | security-Manager | Contains services and tools for message encryption/decryption, PGPKey,x509 Certs management. Stores PGP private keys. |
| 4 | object-relation-manager | Manages relations between objects. (Object oriented Security) |
| 5 | key-server | PGP KeyServer. Stores and manages PGP Public keys. Server is not public and available only for authorized access. |
- Overview
Channel-manager and Identity-manager are the main bundles that manage authentication and authorization. SS uses JAAS as LoginModule for the system (including Karaf-Console). Channel-Manager (AccessControlInterceptor) intercepts (catch) all incoming HTTP/HTTS requests, applies authn&authz and propagates it downstream (next services).
Overall SS Authn&Authz diagramm:
- JAAS LoginModule
Identity-manager bundle overrides Apache Karaf's default JAAS module, by implementing custom.
That is, Karaf-Console and SS-Console use same identity management (users, roles).
To override default Karaf JAAS module, OSGI-bundle configuration file should add custom JAAS settings.
SystemLoginModule class overrides Karaf's login module.
- Authentication
Service consumer or user can be authenticated in three ways:
- Username & Password
- JWToken
- PGPKey
All HTTP requests are intercepted by "Channel-Manager", authenticated by JAAS LoginModule and propagated further.
Authentication entities:
| No | Field | Description | Details |
|---|---|---|---|
| 1 | userName | Username | ... |
| 2 | password | Password. Salted hash of the password. | ... |
| 3 | salt | Salt used for password hash | ... |
| 4 | securityKeyId | ID of the securityKey of the user. | ... |
| 5 | trustLevel | The trust level of the user | ... |
| 6 | authId | Authentication ID used to authenticate user with PGPKeys | ... |
| 7 | ... | ... | ... |
| No | Field | Description | Details |
|---|---|---|---|
| 1 | tokenId | ID of the Token | |
| 2 | secret | Secret key for HMAC | |
| 3 | type | Token type | Values: System, Regular |
| 4 | ... | ... | ... |
- Authorization