11. Security¶
11.1. HTTPs-based communication¶
11.1.1. Secure the cloud-edge communication¶
To secure the communication between the FogFlow cloud node and the FogFlow edge nodes, FogFlow can be configured to use HTTPs for the NGSI9 and NGSI10 communication, which is mainly for data exchange between cloud node and edge nodes, or between two edge nodes. Also, the control channel between Topology Master and Worker can be secured by enabling TLS in RabbitMQ. The introduction steps to secure the data exchange between one FogFlow cloud node and one FogFlow edge node.
11.1.2. Configure DNS server¶
As illustrated by the following picture, in order to set up FogFlow to support the HTTPs-based communication, the FogFlow cloud node and the FogFlow edge node are required to have their own domain names, because their signed certificates must be associated with their domain namers. Therefore, DNS service is needed to be used to resolve the domain names for both the cloud node and the edge node. For example, freeDNS can be used for this purpose.
Important
please make sure that the domain names of the cloud node and the edge node can be properly resolved and correct IP address can be seen.
11.1.3. Set up the FogFlow cloud node¶
11.1.4. Fetch all required scripts¶
Download the docker-compose file and the configuration files as below.
# download the script that can fetch all required files
wget https://raw.githubusercontent.com/smartfog/fogflow/master/docker/core/https/fetch.sh
# make this script executable
chmod +x fetch.sh
# run this script to fetch all required files
./fetch.sh
11.1.5. Change the configuration file¶
{
"coreservice_ip": "cloudnode.fogflow.io", #change this to the domain name of your own cloud node
"external_hostip": "cloudnode.fogflow.io", #change this to the domain name of your own cloud node
...
}
11.1.6. Generate the key and certificate files¶
# make this script executable
chmod +x key4cloudnode.sh
# run this script to fetch all required files
./key4cloudnode.sh cloudnode.fogflow.io
11.1.7. Start the FogFlow components on the cloud node¶
docker-compose up -d
11.1.8. Validate setup¶
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
90868b310608 nginx:latest "nginx -g 'daemon of…" 5 seconds ago Up 3 seconds 0.0.0.0:80->80/tcp fogflow_nginx_1
d4fd1aee2655 fogflow/worker "/worker" 6 seconds ago Up 2 seconds fogflow_cloud_worker_1
428e69bf5998 fogflow/master "/master" 6 seconds ago Up 4 seconds 0.0.0.0:1060->1060/tcp fogflow_master_1
9da1124a43b4 fogflow/designer "node main.js" 7 seconds ago Up 5 seconds 0.0.0.0:1030->1030/tcp, 0.0.0.0:8080->8080/tcp fogflow_designer_1
bb8e25e5a75d fogflow/broker "/broker" 9 seconds ago Up 7 seconds 0.0.0.0:8070->8070/tcp fogflow_cloud_broker_1
7f3ce330c204 rabbitmq:3 "docker-entrypoint.s…" 10 seconds ago Up 6 seconds 4369/tcp, 5671/tcp, 25672/tcp, 0.0.0.0:5672->5672/tcp fogflow_rabbitmq_1
9e95c55a1eb7 fogflow/discovery "/discovery" 10 seconds ago Up 8 seconds 0.0.0.0:8090->8090/tcp fogflow_discovery_1
399958d8d88a grafana/grafana:6.5.0 "/run.sh" 29 seconds ago Up 27 seconds 0.0.0.0:3003->3000/tcp fogflow_grafana_1
9f99315a1a1d fogflow/elasticsearch:7.5.1 "/usr/local/bin/dock…" 32 seconds ago Up 29 seconds 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp fogflow_elasticsearch_1
57eac616a67e fogflow/metricbeat:7.6.0 "/usr/local/bin/dock…" 32 seconds ago Up 29 seconds fogflow_metricbeat_1
11.1.9. Set up the FogFlow edge node¶
11.1.10. Fetch all required scripts¶
Download the docker-compose file and the configuration files as below.
# download the script that can fetch all required files
wget https://raw.githubusercontent.com/smartfog/fogflow/master/docker/edge/https/fetch.sh
# make this script executable
chmod +x fetch.sh
# run this script to fetch all required files
./fetch.sh
11.1.11. Change the configuration file¶
{
"coreservice_ip": "cloudnode.fogflow.io", #change this to the domain name of your own cloud node
"external_hostip": "edgenode1.fogflow.io", #change this to the domain name of your own edge node
...
}
11.1.12. Generate the key and certificate files¶
# make this script executable
chmod +x key4edgenode.sh
# run this script to fetch all required files
./key4edgenode.sh edgenode1.fogflow.io
11.1.13. Start the FogFlow components on the edge node¶
docker-compose up -d
11.1.14. Validate setup¶
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
16af186fb54e fogflow/worker "/worker" About a minute ago Up About a minute https_edge_worker_1
195bb8e44f5b fogflow/broker "/broker" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp https_edge_broker_1
11.1.15. Check system status via FogFlow Dashboard¶
FogFlow dashboard can be opened in web browser to see the current system status via the URL: https://cloudnode.fogflow.io/index.html
Important
please make sure that the domain names of the cloud node can be properly resolved.
If self-signed SSL certificate is being used, a browser warning indication can be seen that the crtificate should not be trusted. It can be proceeded past this warning to view the FogFlow dashboard web page via https.
11.2. Secure FogFlow using Identity Management¶
Identity management(IdM) is a process for identifying, authenticating individuals or groups to have access to applications or system by associating some auth token with established identities. IdM is the task of controlling data about users or applications. In this tutorialFogFlow Designer security implementation and secure Cloud-Edge communication is explained and tested.
11.2.1. Terminology¶
Keyrock: Keyrock is the FIWARE component responsible for Identity Management. Keyrock also provide feature to add OAuth2-based authentication and authorization security in order to secure services and applications.
PEP Proxy Wilma: PEP Proxy Wilma is a FIWARE Generic Enabler that enhances the performance of Identity Management. It combines with Keyrock to secure access to endpoints exposed by FIWARE Generic Enablers. Wilma listens for any request, authenticates it from Keyrock and stores it in its cache for a limited period of time. If a new request arrives, Wilma will first check in its cache and if any grant is stored, it will directly authenticate otherwise it will send the request to Keyrock for authentication.
11.2.2. Security Architecture¶
11.2.3. Cloud and Edge Interaction with IDM¶
FogFlow cloud node flow:
- As in architecture diagram, PEP Proxy will register itself on behalf FogFlow Designer first on Keyrock. Detail explanation is given in below topics of this tutorial.
- User can access Designer via PEP proxy proxy by using the access-token of PEP proxy in reaquest header.
FogFlow edge node flow:
- On behalf of edge node, one instance of PEP Proxy will be pre-registered on keyrock, edge will be using oauth credentials to fetch PEP Proxy details. Detail explanation is given in below topics of this tutorial. Click here to refer.
- After the authentication edge node will be able to communicate with FogFlow cloud node.
- Any device can register itself or communicate with FogFlow edge node using access-token generated on behalf of each IoT Device registered at Keyrock.
11.2.4. Installation of Security Components on Cloud¶
# the docker-compose file to start Identity Manager on the cloud node
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/core/http/security_setup/docker-compose.idm.yml
# the configuration file used by IdM
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/core/http/security_setup/idm_config.js
# the docker-compose file to start PEP Proxy (Wilma) on the cloud node
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/core/http/security_setup/docker-compose.pep.yml
# the configuration file used by PEP Proxy
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/core/http/security_setup/pep_config.js
11.2.5. Change the IP configuration accordingly¶
Configuration file need to be modified at the following places with IP addresses according to user own environment.
- Change the IdM config file (idm_config.js) at following places as per the environment.
config.port = 3000;
config.host = '<IdM_IP>'; // eg; config.host = '180.179.214.215';
Note: IdM_IP denotes the IP of cloud node in this case, if IdM instance is to be set on platform other than cloud; user must provide IP of that platform.
- If user wants to setup database according to their need, they can do so by changing following places in idm_config.js as per environment. For default usage, do not change below mentioned configuration in idm_config.js.
// Database info
config.database = {
host: 'localhost',
password: 'idm',
username: 'root',
database: 'idm',
dialect: 'mysql',
port: undefined
};
11.2.6. Start Security Components on Cloud Node¶
Start Identity Manager
docker-compose -f docker-compose.idm.yml up -d
#Check all the containers are Up and Running using "docker ps -a"
docker ps -a
Note: IdM dashboard can be accessed on the http://<Idm_Ip>:3000 (for eg. http://180.179.214.215:3000) on browser.
Register Application with IdM
For accessig above dashboard, user needs to login with his credentials i.e. username and password. By default user can use admin credentialswhich are “admin@test.com” and “1234”. After login, the below screen would appear.
- Now to register application, click on register tab under application heading.
- Now enter details as below
Name : (Provided by user)
Description : (Provided by User)
Url : (Cloud Node's Designer IP for eg: http://180.179.214.215 where "180.179.214.215" is the IP for woking cloud node)
Callback Url : ( in case of designer as an application it would be http://180.179.214.215/index.html )
click on Next button.
- If user wants to add image icon for his application he can do that by uploading it. Click Next button after that.
- Again click Save button to finish the registration.
11.2.7. Start PEP Proxy (Wilma) on Cloud node¶
Below are the steps that need to be done to setup communication between IdM and PEP Proxy.
- Authenticate PEP Proxy itself with Keyrock Identity Management.
- Login to Keyrock (http://180.179.214.135:3000/idm/) account with user credentials i.e. Email and Password.
- For Example: admin@test.com and 1234.
After Login, Click “Applications” then select the registered Application. Click “PEP Proxy” link to get Application ID , PEP Proxy Username and PEP Proxy Password.
Note: Application ID , PEP Proxy Username and PEP Proxy Password will generate by clicking ‘Register PEP Proxy’ button.
To setup PEP proxy for securing Designer, change the followings inside the pep_config file. Get PEP Proxy Credentials from Keyrock Dashboard while registering an application.
config.pep_port = process.env.PEP_PROXY_PORT || 80;
config.idm = {
host: process.env.PEP_PROXY_IDM_HOST || '180.179.214.135',
port: process.env.PEP_PROXY_IDM_PORT || 3000,
ssl: toBoolean(process.env.PEP_PROXY_IDM_SSL_ENABLED, false),
};
config.app = {
host: process.env.PEP_PROXY_APP_HOST || '180.179.214.135',
port: process.env.PEP_PROXY_APP_PORT || ’80’,
ssl: toBoolean(process.env.PEP_PROXY_APP_SSL_ENABLED, false), // Use true if the app server listens in https
};
config.pep = {
app_id: process.env.PEP_PROXY_APP_ID || '9b51b184-808c-498c-8aac-74ffedc1ee72',
username: process.env.PEP_PROXY_USERNAME || 'pep_proxy_4abf36da-0936-46f9-a7f5-ac7edb7c86b6',
password: process.env.PEP_PASSWORD || 'pep_proxy_fb4955df-79fb-4dd7-8968-e8e60e4d6159',
token: {
secret: process.env.PEP_TOKEN_SECRET || '', // Secret must be configured in order validate a jwt
},
trusted_apps: [],
};
Note: PEP_PORT should be changed by user as per need. PEP_PROXY_IDM_HOST and PEP_PROXY_IDM_PORT should match with above setup for IdM, that means PEP_PROXY_IDM_HOST should be the IP where IdM is working and PEP_PROXY_IDM_PORT be the one, on which IdM is listening. PEP_PROXY_APP_HOST is the IP of cloud node where designer is running and PEP_PROXY_APP_PORT be the one where designer is listening. PEP_PROXY_APP_ID, PEP_PROXY_USERNAME and PEP_PASSWORD is retrived from the registered application as shown in above image.
- Now start the PEP Proxy container, as shown below
docker-compose -f docker-compose.pep.yml up -d
// To check the status of conatiner, use
docker ps -a
11.2.8. Generate Application Access Token¶
Request Keyrock IDM to generate application access-token and refresh token.
- Set the HTTP request Header, payload and Authorization field as per below screen shots.
- Click “Send” Button to get application access-token.
Note: Above request is sent using POSTMAN Application. User can obtain Client ID and Client Secret from Keyrock dashboard. To retrieve Client ID and Client Secret, click on registered application and under ‘Oauth2 Credentials’, user can find Client ID and Client Secret.
Above request can be made using curl, as shown below
- Note: The Authorization code can be generated using below command.
- echo -n Client_ID:Client_SECRET | base64 | tr -d ” \t\n\r”
curl --request POST '<IdM_IP>:3000/oauth2/token/' \
--header 'Authorization: Basic YzNlZGU1NTUtOTIyOC00YjhlLTllNTktZTAxZWQ0Y2VhNDFjOmU4OWRlNzBlLTU3M2QtNDBhYS1hNjljLWVhZDYwNGFkYTAyYw==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=admin@test.com' \
--data-urlencode 'password=1234'
- The request can be made in either of the above two mentioned ways. The result will provide access token.
The flow of cloud security implementation can be understand by below figure.
Below are some points related to above architecture diagram:
- Registered a PEP Proxy for designer as an application in Keyrock.
- Keyrock will send access-token to pep.
- Using that token user will send create entity request to designer.
- Designer will send token to keyrock to authenticate.
- Entity creation request will transfer to FogFlow.
entity Registration using token_access
curl -iX POST 'http://<Cloud_Public_IP>:<PEP_Host-port>/ngsi10/updateContext' -H 'X-Auth-Token: <token>' -H 'Content-Type: application/json'
-d '
{
"contextElements": [
{
"entityId": {
"id": "Temperature100",
"type": "Temperature",
"isPattern": false
},
"attributes": [
{
"name": "temp",
"type": "float",
"value": 34
}
],
"domainMetadata": [
{
"name": "location",
"type": "point",
"value": {
"latitude": 49.406393,
"longitude": 8.684208
}
}
],
"updateAction": "UPDATE"
}
]
}'
11.2.9. Setup components on Edge¶
FogFlow edge node mainly contains edge broker and edge worker. To secure FogFlow edge communication between Iot device and edge node, PEP Proxy has been used. In order to create an Auth Token, firstly register an IoT device on Keyrock. So, a script will call with the start of edge node and it will instantiate a PEP Proxy with the keyrock and also setup configuration file for PEP Proxy to work, using the Keyrock APIs. The script will perform following steps:
Prerequisite
Two commands need to install before setup edge:
- Curl
- jq
11.2.10. scripts Installation¶
Below scripts need to download for setting up edge node.
#download the deployment scripts
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/edge/http/start.sh
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/edge/http/stop.sh
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/edge/http/script.sh
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/edge/http/oauth_config.js
wget https://raw.githubusercontent.com/smartfog/fogflow/development/docker/edge/http/pep-config.js
#make them executable
chmod +x script.sh start.sh stop.sh
11.2.11. Change the IP configuration accordingly¶
Chanage the following things in configuration file:
- Change the oauth_config.js and add IdM IP, Edge IP which is needed to fetch configuration settings for PEP Proxy.
Start Edge node components
#start components in the same script
./start.sh
To secure FogFlow edge-IoT device communication Auth Token has been used on behalf of each IoT device. In order to create an Auth Token,
- An IoT device is needed to be registered on Keyrock.
- A script will be called with the start of edge node and it will configure PEP Proxy with keyrock on behalf of that edge node using the Keyrock APIs.
Note: the start.sh script will return Application ID, Application Secret, PEP Proxy ID, PEP Proxy Secret, Authorization code, IDM Token and the access token on console. Please save these for further use.
IoT Device Interaction with FogFlow
Flow of Requests as shown in diagram:
Step 1 : User will make a request to IDM using his credentials to generate user access token specific for that user. For this, user can use the script along with his username and password.
./user_token_generation.sh admin@test.com 1234
Note: For example, in above snippet admin username is “admin@test.com” and password is “1234”
Step 2 : Script will return an user access token as shown below.
Step 3 : User shares his access token ( i.e. User Access Token ) with IoT Device.
Step 4 : Then IoT devices get registered using the user access token passed as an argument to a script.
./device_token_generation.sh f9ffa629-9aff-4c98-ac57-1caa2917fed2
Note: For example, in above snippet “f9ffa629-9aff-4c98-ac57-1caa2917fed2” is the user access token.
Step 5 : Script will return device access token and device credentials(ID and password) as shown below.
Step 6 : Now, using the above device access token, the IoT Device can interact with Edge node via making Fogflow specific requests to PEP Proxy port.
11.2.12. Register IoT Device on Keyrock Using curl request¶
An example request to register IoT Device is given below
curl --include \
--request POST \
--header "Content-Type: application/json" \
--header "X-Auth-token: <token-generated-from-script>" \
'http://keyrock/v1/applications/6e396def-3fa9-4ff9-84eb-266c13e93964/iot_agents'
Note: Please save the device Id and device password for further utilisation
An example request to generate Auth token for each registered IoT sensor is given below
curl -iX POST \
'http://<IDM_IP>:3000/oauth2/token' \
-H 'Accept: application/json' \
-H 'Authorization: Basic <code-generated-from-script>' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data "username=iot_sensor_02bc0f75-07b5-411a-8792-4381df9a1c7f&password=iot_sensor_277bc253-5a2f-491f-abaa-c7b4e1599d6e&grant_type=password"
Note: Please save the Access Token for further utilisation
11.2.13. Register Device on Edge Node using curl request¶
An example payload of registration device is given below.
Curl -iX POST 'http://<Application_IP>:<Application_Port>/NGSI9/registerContext' -H 'Content-Type: application/json' -H 'fiware-service: openiot' -H 'X-Auth-token: <token-generated-for-IoT-device>' -H 'fiware-servicepath: /' -d '
{
"contextRegistrations": [
{
"entities": [
{
"type": "Lamp",
"isPattern": "false",
"id": "Lamp.0020"
}
],
"attributes": [
{
"name": "on",
"type": "command"
},
{
"name": "off",
"type": "command"
}
],
"providingApplication": "http://0.0.0.0:8888"
}
],
"duration": "P1Y"
}'
Stop Edge Node Components
- Use the below script to stop edge components that is broker and worker.
#stop all components in the same script
./stop.sh