Step 3: Enabling security

Securing Your Streaming Use Case

When you are building your streaming use case, you might be dealing with sensitive data. Data which should not end up in the wrong hands. For this reason, security is an important aspect in Axual and enabled by default. This means that at a minimum:

  • Data transfer is encrypted between client and platform

  • Clients are authenticated and authorized on a particular stream

Mutual TLS: The Foundation

In the next step you will use Self Service to define applications which will produce and consume data from the desired stream.

Regardless of what technology those applications use, they use a SSL certificate to authenticate to the platform. The authentication and authorization mechanism is based on mutual TLS which means that both server (platform) and client, should trust each other.

Mutual TLS clarified

Secondly, your app needs to have access to this certificate when making the connection to the platform. Thirdly, the platform authorizes application access to a particular data stream based on the application principal.

1. Setting Up Trust

In order to set up trust between the platform and the producing or consuming clients a truststore is being used. The truststore contains the CA and/or intermediate CA certificates of the client. In the handshake between client and server, the server will present its own certificate, which needs to be trusted by the client before a secure connection can be established.

When using the local Axual installation, you can use the truststore which is bundled. It is found in the local-config/security/applications folder:

├── common-truststore
│   ├── cachain
│   │   └── common-truststore.pem
│   ├── jks
│   │   └── common-truststore.jks
│   └── p12
│       └── common-truststore.p12
└─- example-{consumer/producer}
    ├── cer
    │   └── example_{consumer/producer}.cer
    ├── jks
    │   └── example-{consumer/producer}.client.jks
    ├── keys
    │   ├── example_{consumer/producer}.key
    │   └── example_{consumer/producer}.pub
    └── p12
        └── example-{consumer/producer}.client.p12

2. Application Certificate

Next, you need a certificate for your consumer/producer which is issues by either the CA directly or the intermediate CA. When using the local setup of the platform, you can use the keystore which is bundled with the local setup tarball, it is found in the local-config/security/applications folder (see above).

if you are not using a local Axual installation, use the truststore that is advised by the Stream Team and request a certificate with the appropriate authority, usually a PKI within your company. Your Stream Team can help you with this.

Next Step: Creating Applications

You are now ready to move on to the next step 4. Creating Applications to create your application(s) in Self Service.