TRUE Connector
  • TRUE Connector
    • Prerequisite
    • Introduction
    • System requirements
    • Volumes
    • Default configuration
    • Starting and stopping containers
    • Component overview
  • REST API
  • Connector reachability
    • Connector ID
  • How to Exchange Data
  • Modifying configuration
    • Hostname validation
    • SSL/HTTPS
    • Change message format - Multipart/Mixed, Multipart/Form, Http-headers
    • WebSocket configuration (WSS)
    • IDSCPv2 configuration
    • Self Description validation
  • Advanced configuration
    • Supported Identity Providers
    • Extended jwt validation
    • Convert keystorage files
    • Validate protocol
    • Clearing House
    • Broker
    • Usage Control
    • MyData Usage Control
    • Audit logs
    • Firewall
    • NTP Server setup
    • Manage OS users
  • Contract Negotiation - simple flow
    • Get offered resource
    • Description Request Message
    • Contract Request Message
    • Contract Agreement request
    • Get offered resource after access is granted
  • Self Description API
    • Changing API password
    • Postman collection
  • License
  • Advanced doc
    • MYDATA_USAGE_CONTROL
    • PostgreSQL Configuration
    • Test cases
    • REST API
    • Testbed
    • Step to replicate True Connector installation in minikube.
    • Docker image signing and verification
  • Life cycle
  • Security
  • Roadmap
  • Traceability matrix
  • License
  • Contributing TRUE Connector
Powered by GitBook
On this page
  • Security policies
  • Public Key Infrastructure - PKI
  • Truststore
  • Adding trusted CA certificates to Truststore
  • Identity certificate - DAPS certificate
  • Integrity check

Security

Security policies

The TRUE Connector uses state-of-the-art TLS 1.3 encryption for https/wss communication which is also implemented and used for idscp2 communication. In addition to TLS 1.3, security is also bolstered by using DAPS for identity provisioning and management based on the newest X.509v3 standard of certificates.

Public Key Infrastructure - PKI

For a proper set-up of the TRUE Connector, it is required to provide a certificate from a trusted Certificate Authority, such as Let's Encrypt, which is mandatory for production environments. This certificate will be used to enable a TLS channel between components.

If requested, you can create one for consumer side and one for provider side of the TRUE Connector. In that case, SAN should be split to match (consumer and provider ones should be separated)

Recommended values for certificate are following:

Certificate Extension
Recommended value

Keystore Type

PKCS #12 or JKS

Version

3

Public key

RSA 4096 bits

Signature Algorithm

SHA-256 with RSA

Validity

6 months

Key usage

Key Agreement, Digital Signature, Key Encipherment

Extended key usage

TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

Authority Key Identifier

160-bit hash

Subject Key Identifier

160-bit hash

Subject Alternative Name

DNS Name: be-dataapp-consumer; DNS Name: be-dataapp-provider; DNS Name: ecc-consumer; DNS Name: ecc-provider; DNS Name: localhost; DNS Name: uc-dataapp-consumer; DNS Name: uc-dataapp-provider

Common Name (CN)

execution-core-container

Organization Unit (OU)

R&D

Organization Name (O)

Engineering Ingegneria Informatica SpA

Locality Name (L)

Lecce

State Name (ST)

Italy

Country (C)

Italy

SAN can be changed depending on deployed network infrastructure.

When creating self signed certificate, be sure to set values provided in table above. For that purpose you can use openssl command or KeyStore Explorer, small utility application that will help you to set all the values and generate correct key. Password should be "strong enough".

Truststore

To support hostname validation, truststore will have to be contain valid certificate, with information related with SAN. This step is mandatory, and if not set correctly, you will get 'PKIX' exception when making https call.

In the truststore, next certificates are mandatory:

  • DAPS TLS certificate

  • DAPS key provider certificate (OCSP)

  • Broker certificate

  • Consumer Connector certificate

  • Provider Connector certificate

  • Clearing house certificate (if CH is used)

Adding trusted CA certificates to Truststore

Before attempting to communicate with another connector or service (e.g. DASP, Broker...) in a dataspace the TRUEConnector has to know whom to trust. This is done through adding of the other entities certificates,provided to them by trusted CAs, to the TRUEConnectors Truststore. We will be using keytool and the following command to add for example the DAPS certificate:

keytool -import -keystore truststoreEcc.jks -file daps_certificate.pem -alias daps

  • keystore - TRUEConnector Truststore

  • file - trusted CAs certificate you want to add

  • alias - unique name of the certificate in the Truststore

Identity certificate - DAPS certificate

Another certificate is required to be used in TRUE Connector - identity certificate, used to identify connector and to fetch jwToken from Identity Provider - DAPS. Following certificate can be generated using Testbed instructions described here. Be aware that following certificates will work only with provided Dynamic Attribute Provisioning Service (DAPS) - Omejdn. For other DAPS implementations, this will require additional validation. Once certificate is generated, following instruction from previous link, you can configure TRUE Connector to use DAPS, by following instructions from here.

Integrity check

TRUE Connector has several ways to check the integrity:

  • Docker cosing check

  • Healthcheck

  • Verification of the components itself, that will check if current version of subcomponent is verified or not;

Each component (Execution Core Container, Basic DataApp and Platoon Usage Control) should on startup log somethign like following:

Certified version: true

in case if TRUE Connector is using certified subcomponent or not.

Last updated 1 year ago