Secure Communication
General Description
The Secure Communication component installs, issues, and revokes digital certificates, which are strictly necessary to securely exchange information between ZDMP assets and external resources. From the Security Command Centre UI, the administrator can revoke, renew, and install certificates.
This component includes a Certification Authority (CA) and a Registration Authority (RA). These are the core of this component and is responsible for issuing/revoking certificates and matching identities with certificates, respectively.
| Resource | Location |
|---|---|
| Source Code | Link |
| Latest Release (v1.0.0) | Download |
| Open API Spec | Link |
| Video | Link |
| Further Guidance | None |
| Related Datasets | None |
| Additional links | None |
| Generation of this content | 6 May 2021 |
Screenshots
The following images are illustrative screen shots of the component.
Figure 32: Security command centre certificates list
Component Author
| Company Name | ZDMP Acronym | Website | Logo |
|---|---|---|---|
| Instituto Tecnológico de Informática | ITI | www.iti.es |  |
Commercial Information
| Resource | Location |
|---|---|
| IPR Link | Secure Communication |
| Price | [For determination at end of project] |
| License | [For determination at end of project] |
| Privacy Policy | [For determination at end of project] |
| Volume License | [For determination at end of project] |
Architecture Diagram
The following diagram shows the position of this component in the ZDMP architecture.
Figure 33: Position of Component in ZDMP Architecture
Benefits
Solve the security aspects that require encryption, data integrity, privacy, and mutual trust
Address the Transport & Application layer security enabling a simplified management of certificates
Features
This component offers the following features:
Retrieve certificates: Recover details (status) of a given certificate
Certificate issuer: Enables T5.2 Authentication & Authorization to request new certificates for new users managed by the Security Command Centre
Certificate download: To download generated certificates in different formats. This enables the user to download the certificate on demand, directly, given correct credentials
Server Certificate issuer: Requests an installed CA to create and store server certificate, with different possible hash methods (initially assume sha256, other possibilities)
Client certificate issuer: To request an installed CA to create and store client certificates, with different possible hash methods (initially assume sha256, other possibilities)
Install Certificate Authorities: To install and manage Certificate Authorities
Inspect details on issued certificates: To request a list of installed certificates and CAs with detailed information
Manage certificates life cycle: To manage revoked certificates, to renew them, or add them to a CRL list
System Requirements
Minimal requirements needed:
Computer with Docker Engine installed (tested in v19.03.8, on Windows)
Security Command Centre
Associated ZDMP Services
Required
How to use
Installation
The installation of this component is performed through Docker commands to run docker images. The Secure Communication component can be installed via docker-compose:
Download the latest source code from ZDMP’s GitLab repository Download
Unzip the folder in the desired workspace
Check the desired configuration parameters in the form of environment variables in the docker-compose file. Two variables can be set, KC-AUTHORIZATION to enable login of the component with KEYCLOAK if the component has been assigned a token, and API_OUTPUT_AS_JSON, to select legacy output or pure JSON responses
Figure 34: Configuring the secure communications component
- Through the command line, go to the orchestration folder and run docker-compose command as follows:
- In order to use this component via the Security Command Centre UI, please consider the installation process of Secure Authentication and Authorisation and Secure Installation. Refer to those components for further information:
- In order to deploy this component as part of the Application Run-time, please refer to that component for further instructions:
Certificate Management
The final usage of this component is envisaged to be through the UI of the Security Command Centre. Nevertheless, a POSTMAN collection is provided, which groups every API call to be tested unitarily, given the user has deployed the Docker Compose file in localhost (if not, it can be performed by editing the calls with the correct URL).
The Security Communication component is also implemented in the Command Centre with the required forms to interact with the Security Communication component. IT administrators are able to install or import a Certificate Authority (CA) through the Security Command Centre UI by providing the CA content and filling in additional parameters such as the encryption algorithm, country, location, and organization name.
Figure 35: Security command centre CA creation
Figure 36: Importing an existing CA
Figure 37: Security command centre certificate authority list
Once the CA is installed, the IT administrator can issue device certificates with the installed CA and download them.
The IT administrator can manage certificates life cycle by revoking already issued certificates, issuing new certificates, or revoking existing ones.
Figure 38: Security command centre certificate list
Finally, to use certificates in any application, follow specific guides according to the protocol of choice. Below an example of using certificates in MQTT or OPC-UA with NODE-RED can be found.
Figure 39 Example of using certificates