ankaios icon indicating copy to clipboard operation
ankaios copied to clipboard

Published 20 hours ago verified publisher icon eclipse-ankaios

Secure communication between server, agent and CLI using mTLS

Open windsource opened this issue 1 year ago • 8 comments

Description

Currently the communication between server and agent via gRPC is unencrypted. In order to provide authentication and encryption mTLS shall be used.

Goals

  • The mTLS encryption shall be optional (not required during development)
  • A script shall be provided to create CA and certificates
  • It shall be documented how to use the generated or existing certificate with Ankaios server and agent
  • Server, agent and CLI shall be extended to use mTLS per default (--insecure as extra option)

Tasks

  • [x] Check if existing gRPC crate supports mTLS: yes, an example can be found here: I'll also add the link to the description. Some features are not supported (see here ), but they are irrelevant for us
  • [ ] Extend server and agent with mTLS capabilities (also add command line flags) (don't forget to check the permissions on the files and reject starting if the permissions are too open)
  • [ ] Provide scripts to generate CA and certs
  • [ ] Enhance documentation
  • [ ] Enhance SW design and requirement tracing

windsource avatar Sep 05 '23 08:09 windsource