The TRUE Connector uses state-of-the-art TLS 1.3 encryption for https/wss communication which is also implemented and used for idscp2 communication. In addition to TLS 1.3, security is also bolstered by using DAPS for identity provisioning and management based on the newest X.509v3 standard of certificates.
For a proper set-up of the TRUE Connector, it is required to provide a certificate from a trusted Certificate Authority, such as Let's Encrypt, which is mandatory for production environments. This certificate will be used to enable a TLS channel between components.
If requested, you can create one for consumer side and one for provider side of the TRUE Connector. In that case, SAN should be split to match (consumer and provider ones should be separated)
Recommended values for certificate are following:
| Certificate Extension | Recommended value |
|---|---|
| Keystore Type | PKCS #12 or JKS |
| Version | 3 |
| Public key | RSA 4096 bits |
| Signature Algorithm | SHA-256 with RSA |
| Validity | 6 months |
| Key usage | Key Agreement, Digital Signature, Key Encipherment |
| Extended key usage | TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) |
| Authority Key Identifier | 160-bit hash |
| Subject Key Identifier | 160-bit hash |
| Subject Alternative Name | DNS Name: be-dataapp-consumer; DNS Name: be-dataapp-provider; DNS Name: ecc-consumer; DNS Name: ecc-provider; DNS Name: localhost; DNS Name: uc-dataapp-consumer; DNS Name: uc-dataapp-provider |
| Common Name (CN) | execution-core-container |
| Organization Unit (OU) | R&D |
| Organization Name (O) | Engineering Ingegneria Informatica SpA |
| Locality Name (L) | Lecce |
| State Name (ST) | Italy |
| Country (C) | Italy |
SAN can be changed depending on deployed network infrastructure.
When creating self signed certificate, be sure to set values provided in table above. For that purpose you can use openssl command or KeyStore Explorer, small utility application that will help you to set all the values and generate correct key. Password should be "strong enough".
To support hostname validation, truststore will have to be contain valid certificate, with information related with SAN. This step is mandatory, and if not set correctly, you will get 'PKIX' exception when making https call.
In the truststore, next certificates are mandatory:
- DAPS TLS certificate
- DAPS key provider certificate (OCSP)
- Broker certificate
- Consumer Connector certificate
- Provider Connector certificate
- Clearing house certificate (if CH is used)
Before attempting to communicate with another connector or service (e.g. DASP, Broker...) in a dataspace the TRUEConnector has to know whom to trust. This is done through adding of the other entities certificates,provided to them by trusted CAs, to the TRUEConnectors Truststore. We will be using keytool and the following command to add for example the DAPS certificate:
keytool -import -keystore truststoreEcc.jks -file daps_certificate.pem -alias daps
- keystore - TRUEConnector Truststore
- file - trusted CAs certificate you want to add
- alias - unique name of the certificate in the Truststore
Another certificate is required to be used in TRUE Connector - identity certificate, used to identify connector and to fetch jwToken from Identity Provider - DAPS. Following certificate can be generated using Testbed instructions described here. Be aware that following certificates will work only with provided Dynamic Attribute Provisioning Service (DAPS) - Omejdn. For other DAPS implementations, this will require additional validation. Once certificate is generated, following instruction from previous link, you can configure TRUE Connector to use DAPS, by following instructions from here.
TRUE Connector has several ways to check the integrity:
- Docker cosing check
- Healthcheck
- Verification of the components itself, that will check if current version of subcomponent is verified or not;
Each component (Execution Core Container, Basic DataApp and Platoon Usage Control) should on startup log somethign like following:
Certified version: true
in case if TRUE Connector is using certified subcomponent or not.