Questions about CPE authentication

[mhekt]

Hi Xmidt team,

I am new to Xmidt and am currently exploring ways to authenticate CPEs. I have a few questions and would appreciate a quick response.

It appears that the preferred method is to use JWTs issued by Themis to the CPE. However, I am unsure how the Themis /issue API is protected from unauthorized access in this scenario. The Xmidt documentation mentions using mTLS between CPE and Themis, but I haven't found a way to configure Themis to reject requests that lack mTLS authentication. The only configuration option I found was for setting the TLS server certificates:

issuer:
  tls:
    key: "/etc/themis/testkey.pem"
    certificateFile: "/etc/themis/testcert.pem"

How can mTLS be utilized with Themis? Alternatively, is there another method to secure the /issue API?

Another option I discovered is mTLS for the WSS connection. Parodus has the options mtls-client-cert-path and mtls-client-key-path. However, I am also unsure how to enforce an mTLS WSS connection in Talaria. Is there a way to restrict Talaria to only allow mTLS-secured WSS connections?

Thank you very much.

[mhekt]

I chose JWT as the authentication mechanism for CPE and secured the issue API with an mTLS proxy.

However, I am unable to configure Talaria to only accept CPEs with a valid JWT. This issue is similar to what has been described in xmidt-org discussions #74 and xmidt-org issue #25. Unfortunately, the link to the solution is no longer functional.

Here is my Talaria configuration:

build: unknown
control:
  address: :6203
device:
  manager:
    deviceMessageQueueSize: 1000
    idlePeriod: 2m
    maxDevices: 1000
    pingPeriod: 1m
    upgrader:
      handshakeTimeout: 10s
  outbound:
    allowedSchemes:
    - http
    - https
    authKey: dXNlcjpwYXNz
    clientTimeout: 2m
    defaultScheme: http
    enableConsulRoundRobin: true
    eventEndpoints:
      default: http://caduceus:6000/api/v4/notify
    method: POST
    outboundQueueSize: 2000
    requestTimeout: 2m
    retries: 3
    transport:
      idleConnTimeout: 120s
      maxIdleConns: 0
      maxIdleConnsPerHost: 100
    workerPoolSize: 50
domain: ""
eventMap:
  default: http://caduceus:6000/api/v3/notify
flavor: mint
health:
  address: :6201
inbound:
  authKey: dXNlcjpwYXNz
  requestTimeout: 120s
jwtValidator:
  Config:
    Resolve:
      Template: http://themis:6500/keys/{keyID}
deviceAccessCheck:
  type: "enforce"
  checks:
    -
      name: Trusted Device
      deviceCredentialPath: trust
      op: "gt"
      inputValue: 999
log:
  file: stdout
  json: true
  level: DEBUG
  maxage: 30
  maxbackups: 10
  maxsize: 50
metric:
  address: :6204
  metricsOptions:
    namespace: xmidt
    subsystem: talaria
pprof:
  address: :6202
primary:
  address: :6200
  #certificateFile: "/etc/talaria/server.cert.pem"
  #keyFile: "/etc/talaria/server.key.pem"
region: east
server: 192.168.0.165
service:
  consul:
    client:
      address: consul0:8500
      scheme: http
      waitTime: 30s
    datacenterRetries: 3
    disableGenerateID: true
    registrations:
    - address: 192.168.0.165
      checks:
      - checkID: 192.168.0.165:http
        deregisterCriticalServiceAfter: 70s
        http: http://192.168.0.165:6201/health
        interval: 30s
      id: 192.168.0.165
      name: talaria
      port: 6200
      tags:
      - stage=dev
      - flavor=mint
    watches:
    - crossDatacenter: false
      passingOnly: true
      service: talaria
      tags:
      - stage=dev
      - flavor=mint
    - crossDatacenter: false
      passingOnly: true
      service: caduceus
      tags:
      - stage=dev
      - flavor=mint
  defaultScheme: http
  vnodeCount: 211
stage: dev
tracing:
  endpoint: http://zipkin:9411/api/v2/spans
  provider: zipkin
failOpen: false

Prometheus command with JWT:

parodus --hw-mac=CCB8F11703D4 --webpa-ping-time=60 --webpa-interface-used=eth0 --webpa-url=http://192.168.0.165:6400 --partner-id=comcast --webpa-backoff-max=9 --force-ipv4 --ssl-cert-path=/etc/ssl/certs/ca-certificates.crt --client-cert-path=client_certs/cpe0.certkey.pem --token-server-url=https://192.168.0.165:19443/issue

Prometheus command without JWT:

parodus --hw-mac=CCB8F11703D4 --webpa-ping-time=60 --webpa-interface-used=eth0 --webpa-url=http://192.168.0.165:6400 --partner-id=comcast --webpa-backoff-max=9 --force-ipv4 --ssl-cert-path=/etc/ssl/certs/ca-certificates.crt

I can confirm that Prometheus is receiving and sending a valid JWT, but Talaria still accepts connections without the JWT. Can anyone provide guidance on how the configuration file should be set up to allow only connections with JWTs?

[mhekt]

I found the issue. The docker image talaria:latest is too old for the config option failOpen: false.