I am trying to use the BLPAPI to establish a connection to SAPI. I am unclear on how to pass the authentication to SAPI. For instance, how do I specify the SAPI server(some url?) or how do I pass the authentication( public/private keys) over for the connection to be established?
Related
I'm trying to create a GRPC service to authenticate users. The back end server will be written in Go and the front end will be in Javascript. The connection between client and server must be secure, so I will use SSL/TLS on the server side.
My question has to do with the GRPC client API. When creating a GRPC client to make the request, I need to specify a credentials object:
var ssl_creds = grpc.credentials.createSsl(root_certs);
var stub = new helloworld.Greeter('myservice.example.com', ssl_creds);
There are a number of different credentials objects I can supply, but they all seem to require having the public key for the server present on the client side. How do I get the public key from the server to the client to create the credentials object? Do I have to do any sort of verification myself to ensure that the cert is trusted?
For libraries used to make REST HTTP requests, this step seemingly happens in the background, as I do not have to specify the key. Often you can supply the key as an optional parameter, which is only necessary when the SSL cert is not verified by some certificate authority. How are these libraries (e.g. jQuery or Python's requests library) fetching the necessary public key and performing verification? Is there similar functionality in the GRPC library which I can use for this purpose?
I'm pretty confused concerning the terminology used by IBM. I'm currently working with Watson IoT and embedded devices using MQTT. As you know, embedded devices sometimes do not have the capability to secure a connection via certificates (former SSL). Watson IoT therefore offers a secure connection (?) called "TLS with authentication token". That's what's confusing me. I learned that for a SSL (now TLS) connection you need to pass certificates to the server. How can you establish a TLS connection just by using/sending a auth token? Or do they just mean the authentication process instead of a secured and encrypted connection?
Thanks in advance and have a nice weekend!
If you're using MQTT, the simplest way to connect your device to the Watson IoT Platform is as follows:
When you register your device, you define (or get given) an authentication token - in effect, a password for that device. You have two main options on how you use this token to connect the device to Watson IoT Platform at orgId.messaging.internetofthings.ibmcloud.com:
Port 1883 (this is non-TLS)
Port 8883/443 (this is TLS)
In both cases the password is used to authenticate your device - but only in the second is the on-the-wire traffic encrypted (which is why we strongly recommend using TLS/port 8883/443 where possible). The encrypted connection is over TLS: Watson IoT Platform presents a certificate to allow your TLS-enabled device to validate the certificate and hence trust it's talking to Watson IoT Platform.
There are further options to build on this. You can configure device certificates (e.g., see here) - but I haven't discussed these as - hopefully! - I'll have answered your question using the simple patterns above. Further details on connecting to the platform are available here.
Links correct at the time of writing
We are developing a banking mobile application using MobileFirst V7.1. As it is a banking mobile application security matters more the sensitive data from mobile client to MobileFirst server trasnferred securely. hence the data should be encrypted from the mobile client/App side and sent to the MobileFirst Server and at the server side we have to decrypt the data and call the backend webservice. As per the client requirement the following are the steps to be implemented for encryption logic:
Step 1: Generate a symmetric key
A 32 bit random key will be generated
Step 2: Encrypt the data with this key, using a symmetric algorithm like AES.
The sensitive data is encrypted with the above generated key using AES algorithm
Step 3: Encrypt the symmetric key with the public key, using a asymmetric algorithm like RSA.
The key (32 bit random key generated in step1 an used for encryption of sensitive data in step2) is encrypted using the asymmetric algorithm RSA public key
Step 4: Bundle the encrypted symmetric key with the encrypted data
Bundle both the encrypted sensitive data and encrypted random key in an object and sent it to the server. At the worklight server end, from step4 to step1 is performed in reverse to decrypt and get the original data
The problem is I'm able to achieve the encryption logic from step1 to stpe4 at the application end, but when I use the same RSA alogorithm java script libraries in the MobileFirst HTTP adapter side to decrypt the data, I'm getting many errors stating that "window" is undefined, "navigator" is undefined. The RSA javascript libraries consists of navigator, window, at the mobilefirst adapter javascript file these navigaotr or window is unavailable, hence I'm getting this errors and I'm unable to move forward. Can anyone please help me to resolve this or help me in implementing the Enctyprtion logic as mentioned in the above step1 to step4 in my MobileFirst application.
Thanks in adavance.
Check this older response form stackoverflow:
I don't see issues on encrypting you adapter request/response payload(the data you send and receive inside of an adapter call).
Worklight adapter calls are not encrypted (WL.Client.invokeProcedure)
Although, if you encrypt the entire request(or response) used by this will confuse the adapter Client/Server internal communication protocol.
If you want extra protection on on the transport layer(Like HTTP/HTTPS) and maybe an extra layer. I would check if in your case, a IBM DataPower would not what you are searching for: https://en.wikipedia.org/wiki/IBM_WebSphere_DataPower_SOA_Appliances
Application Layer: https://en.wikipedia.org/wiki/Application_layer
You can use also the adapter mash up technic at the adapter calls in a single adapter endpoint to prevent unwanted eyes to try ton reverse engineer this call by its name, and this 1st adapter can decrypt the payload at the server-side and send to the wanted adapter internally(inside the server-side).
https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/adapters/advanced-adapter-usage-mashup/
I hope this helps,
You have to write own code for encryption or decryption, I think you are using third party library to do encryption/decryption which is browser based. As worklight adpater does not recognize window/navigator.
Is there a Groovy way to open a SSL connection to a server with client side authentification without using the JVM keystore?
I want to enable users to upload a public key over a website and then access a REST API on their server in a secure way. So I can have a lot of different keys which have to be loaded during runtime. I don't know if this is even possible using keystores.
I am looking for a solution, where I can just provide the keystring on connection initialization.
This is our setup - our customers will have a database server with our database on and multiple clients running our frontend. We have some WCF services to allow the clients to request info from the database and each WCF session is authenticated with a username/password stored (encrypted) in the database. This all works fine and has been in use for a couple of years.
We're now adding the ability to sign in using a USB fingerprint reader attached to client PCs. For this we store each users' fingerprint template in the database and then upload them all to the device. The device can then tell us which user has presented their finger.
What is the best way to securely allow our fingerprint client to authenticate over the WCF service without using the user's password and without opening up the system to attack from unauthorised users?
My first thought is to define a secret key that both client and server know, encrypt it on the client with a timestamp and the logged in user id and send it to the server which can then confirm that the request came from our client.
Is this a good idea? Can an attacker just relay the same message to start an unauthorised session?
I'm not a security expert so I'd prefer an existing solution over rolling my own for obvious reasons.
We're using C# and only targetting Windows.
You could use an x509 certificate stored on the Client to provide the client credentials required for the WCF service. This would work in the same way that server security is provided via SSL certificates.
Some info on working with certificates:
MSDN - Message Security with a Certificate Client
MSDN - Working With Certificates
A word of caution would be that you would obviously have to manage the distribution and validity of certificates.
Th other alternative is to use the clients windows account for authentication purposes if the client machine is on the same domain:
Some info on working with Windows Account:
Message Security with a Windows Client