2

Very simply question: Does the Orion Context Broker support SSL for subscribers:

Ex.: Can the callback URL for subscriptions be https://mysimpleexample.com/notify

I've tried this (using a trusted certificate!), and this does not seem to work for me.

That being said, I've not run the Orion Context Broker using the -https option. However, looking at the manual, this option seems to be for using SSL on the context broker http server, and have nothing to do with client subscriptions.

Edit: I did try this on an http endpoint and then on an https endpoint with the same hostname afterwards. Only the https endpoint had issues.

Mikael Guldborg
  • 285
  • 1
  • 11

1 Answers1

0

You are right: -https CLI is about activating HTTPS in the (sever side) Orion NGSI API. It is not related with the notifications sent by Orion.

Orion doesn't support directly (client side) HTTPS notifications but the functionality could be achieved using an HTTP relayer, such as Rush. Using an HTTP releayer has additional advantages such as relieving Orion from dealing with notification fails, retries, etc.

Orion-Rush integration is not yet achieved, but it is in our short-term roadmap. Please, have a look (and eventually subscribe to, if you want to know when the functionality gets implemented) to https://github.com/telefonicaid/fiware-orion/issues/251

UPDATE: Orion-Rush integration for HTTPS was implemented in Orion 0.13.0. See "Security considerations" section at Orion user manual.

UPDATE: Rush has been added as part of the global context management instance, so CB at orion.lab.fi-ware.org nos supports HTTPS notifications. However, a bug currently makes CB ignore default port for "https" URL scheme, so use 443 explicitly (eg. https://foo.bar:443/path).

UPDATE: the bug mentioned in the previous update note is fixed in Orion release 0.17.0.

UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (i.e. without needing Rush).

fgalan
  • 11,732
  • 9
  • 46
  • 89
  • 1
    I see. This would simply require an additional component to be installed on the linux VM and would be transparent to the subscriber. It would be nice if this could be included on the images or blueprints available on the cloud portal. – Mikael Guldborg Apr 28 '14 at 13:19
  • Good point. We should include Rush in the orion-psb-image VM template at FI-LAB cloud and also provide a receipt for it for blueprints – fgalan Apr 28 '14 at 14:42
  • @fgalan The global instance available at FIWARE Lab currently doesn't support https subscribers. Can update FIWARE Lab instance adding that support? – Álvaro Arranz Oct 19 '14 at 09:06
  • @ÁlvaroArranz, good point. Orion instance at orion.lab.fi-ware.org should run with `-rush` option enabled (pointint to the proper Rush instance) so users of that Orion instance may use HTTPS notifications. We will work on it. – fgalan Oct 19 '14 at 12:25
  • 1
    The FIWARE Lab instance of Orion is now accepting HTTPS callback URLs :). Thanks @fgalan. – Álvaro Arranz Nov 17 '14 at 10:01
  • Answer has been edited, to include relevant information regarding HTTPS notification native support in Orion 1.7.0 (to be released by the beginning of February 2017) – fgalan Jan 31 '17 at 14:18