-
Notifications
You must be signed in to change notification settings - Fork 34
Security Developer Guide
SS-Console is an OSGI based application, developed using Apache-Felix framework and deployed into Apache-Karaf runtime. SSL/TLS and PGP encryption is used to secure HTTP tunnels and data exchange.
Components and Version details:
No | Component | Version | Details |
---|---|---|---|
1 | Felix | 4.2.1 | OSGI Framework |
2 | Karaf | 3.0.5 | OSGI Runtime |
3 | Jetty | 8.1.x | Web-Server |
4 | Derby | 10.12.1.1 | Database |
5 | OpenJPA | 2.3.0 | JPA 2.0 |
6 | BouncyCastle | 1.52 | Cryptography Library |
(More details in General Security Architecture).
No | OSGI Module | Description |
---|---|---|
1 | identity-manager | Manages authentication and authorization, sessions and RBAC. Main Module that controls overall system identity and access permissions. |
2 | channel-manager | Controls HTTP/HTTS tunnels. Intercepts all incoming and outgoing requests, applies encryption, authorizes Web Tokens. |
3 | security-Manager | Contains services and tools for message encryption/decryption, PGPKey,x509 Certs management. Stores PGP private keys. |
4 | object-relation-manager | Manages relations between objects. (Object oriented Security) |
5 | key-server | PGP KeyServer. Stores and manages PGP Public keys. Server is not public and available only for authorized access. |
- Overview
Channel-manager and Identity-manager are the main bundles that manage authentication and authorization. SS uses JAAS as LoginModule for the system (including Karaf-Console). Channel-Manager (AccessControlInterceptor) intercepts (catch) all incoming HTTP/HTTS requests, applies authn&authz and propagates it downstream (next services).
Overall SS Authn&Authz diagramm:
- JAAS LoginModule
Identity-manager bundle overrides Apache Karaf's default JAAS module, by implementing custom.
That is, Karaf-Console and SS-Console use same identity management (users, roles).
To override default Karaf JAAS module, OSGI-bundle configuration file should add custom JAAS settings.
SystemLoginModule
class overrides Karaf's login module.
- Authentication
Service consumer or user can be authenticated in three ways:
- Username & Password
- JWToken
- PGPKey
All HTTP requests are intercepted by "Channel-Manager", authenticated by JAAS LoginModule and propagated further.
Authentication entities:
No | Field | Description | Details |
---|---|---|---|
1 | userName | Username | ... |
2 | password | Password. Salted hash of the password. | ... |
3 | salt | Salt used for password hash | ... |
4 | securityKeyId | ID of the securityKey of the user. | ... |
5 | trustLevel | The trust level of the user | ... |
6 | authId | Authentication ID used to authenticate user with PGPKeys | ... |
7 | ... | ... | ... |
No | Field | Description | Details |
---|---|---|---|
1 | tokenId | ID of the Token | |
2 | secret | Secret key for HMAC | |
3 | type | Token type | Values: System, Regular |
4 | ... | ... | ... |
- Authorization
User Guides
Glossary
Components
How it works
Configure domain for environment
Create Templates from CLI
Create Templates from Console
Environment management via Bazaar and Console
EZ Desktop solution for Subutai containers
[Linux] Adding domain name to etc hosts
[Windows] Adding domain name to etc hosts