======== Security ======== The primary security objective of the Open EII is to prevent time series and video data generated by the ingestion or analytics components from being accessed by unauthorized entities acting within the system or accessing it via the external network interfaces. Security is enabled in a two-stage process involving provisioning and execution on an edge compute node. The root user is considered a trusted entity; therefore, compromising the root password or giving Linux* sudoer permission to an untrusted user on the edge compute node will compromise security. Provisioning ============ Provisioning must be done before deploying Open EII on any node. Provisioning will start Open EII ConfigMgr as a container and load it with the configuration required to run Open EII for single or multi-node cluster setup. The provisioning step of Open EII include: #. Loading the initial Open EII ConfigMgr values from a json file. #. Generating Open EII ConfigMgr user certificates for all applications. #. Generating required X509 certificates and putting them in Open EII ConfigMgr. Generating Keys and Certificates -------------------------------- Open EII is provided with a cert-tool that can create Open EII ConfigMgr private keys and cert pair for all Open EII containers. The cert-tool is a sample that's uses OpenSSL commands to create the X.509 certs and private keys with names expected by the sample docker-compose.yml provided with the release. The user can opt to generate these certs using any tool and update the docker-compose.yml with the corresponding names for the final deployment. The following certificates are generated by the cert-tool: X.509 CA certificate, which is self-signed. This step can be omitted if the admin provides their own pre-generated CA certificate to the tool. Open EII ConfigMgr root user private key and certificate. Open EII ConfigMgr user private key and certificate for all the applications (provided in the configuration). Open EII ConfigMgr peer certificate to be generated for each node in the cluster. The cert-tool will generate these keys and certificates and will keep them in a “Certificates/” directory with unique filenames for each certificate. This directory will be referred by the docker-compose.yml file for mounting these as secrets to the container. Start Up and Run Time ====================== During Edge Compute Node reboot, the secrets stored in the Open EII ConfigMgr need to be accessible to all of the Open EII infrastructure containers. Open EII ConfigMgr plays a crucial role in providing the secrets to other containers. Accessing Secrets ------------------ Docker-compose secret and Open EII ConfigMgr are used to provide runtime secrets to Open EII. Application reads the Open EII ConfigMgr certificates from the secrets of docker-compose. Call the ConfigMgr library (Open EII ConfigMgr client) for reading the application configurations (using the Open EII user Open EII ConfigMgr pub/pri key pair). Read the message bus topics and message bus configurations for Pub / Sub and Request Response along with the ZMQ private keys. For a publisher, the application needs the public keys of all subscribers. From the list of subscribers mentioned in the application Open EII ConfigMgr configuration, the application needs to query the ConfigMgr and gets the public keys of all subscribers from Open EII ConfigMgr. The application will pass this configuration to the Open EII message bus. For a subscriber, the ConfigMgr is used for getting the public key of the publisher and connecting to it. Certificate Revocation ====================== Individual users can be deleted from the Open EII ConfigMgr to revoke their certificates. In case of ZeroMQ* certificate revocation, the client's public key can be removed from the allowed_clients option of the publisher.