Security
TLS/SSL support
Channel manager supports TLS/SSL between itself and the plugin, regardless of transport. The scope of implementing SSL is beyond this document as plugin can be implemented in a variety of programming languages and use arbitrary libraries. We provide general guidelines only.
Channel manager can work with self-signed SSL certificates, however in such case (as well if certificate could not be used by the Java 8 out of the box) you will have to provide us with the certificate file in .crt
format. The certificate file must begin with
----BEGIN CERTIFICATE-----
followed by Base64-encoded certificate, followed by
----END CERTIFICATE-----
gRPC
Channel manager is able to use TLS if the plugin supports it. For implementation guide, follow the advice on https://github.com/grpc/grpc-java/blob/master/SECURITY.md (or other page relevant to the other programming language you are using). If implementing in Java, you can check out the sample plugin (also see Using the sample plugin) which contains the necessary code required for TLS to work.
REST
We are using version 2 of OkHttp library for making client-to-server connections. According to the specification, the following transport options are supported:
- SSL v3.0
- TLS v1.0
- TLS v1.1
- TLS v1.2
gRPC: shared secret support
gRPC supports shared secret authentication, effectively disabling any unauthorized access from any external source. It works by configuring arbitrary secret phrase on the server (plugin) end and providing the same phrase on the client (Channel manager) end. If the phrase does not match, none of the services would respond.
Shared secret feature can work with or without TLS.
Check out the sample plugin for how the shared secret should be implemented.
REST: basic authentication support
REST plugin offers the ability to configure shared secret in the form of basic access authentication. The authentication can work with or without TLS.