3

I read all the documentation of Keyrock and Wilma and I watched all the videos in the FIWARE Academy, but I still do not get success in this integration. I am searching for this since a few days ago, but without success. I think the FIWARE documentation could have tutorials, hands on...

I have a VM with Orion Context Broker and a container with Keyrock IdM and Wilma PEP Proxy. I am trying to generate an access token to grant access for an application, but I still did not get it. Besides, I would like to know how can I securely exchange messages between the Orion Context Broker and some IoT devices. Indeed, it is complicated to think about IoT devices having to access a screen and put their credentials to authenticate and to be authorized like the Keyrock IdM examples show. What do you sugest?

Dalton Cézane
  • 3,672
  • 2
  • 35
  • 60
  • I recommend you to follow the steps explained in Lesson 3 of Keyrock courses (https://edu.fiware.org/course/view.php?id=79) to know how to create OAuth2 tokens. Detailed documentation can be faund here (http://fiware-idm.readthedocs.io/en/latest/oauth2.html). Regarding Orion questions, my colleagues from IoT team will help you. – Álvaro Alonso Dec 12 '16 at 11:19
  • Reading the question post, not sure which specific question is for Orion... @Dalton, could you elaborate a little bit, please? Thx! – fgalan Dec 12 '16 at 12:35
  • Dear @Alvaro , I already had watched all the videos in Fiware Academy, including the lesson 3 (I watched it two times). I had problems creating the access token in my local instance of IdM. I already had created the application in my IdM portal, what gave me the client ID and the secret ID. But I had doubts in how to request a valid access token. Now, after search a bit more, I found out and got an access token with a POST to http://idm:8000/oauth2/token. I tested it requesting the user info with http://idm:8000/user?access_token="mytoken" and it worked. – Dalton Cézane Dec 12 '16 at 21:17
  • Now, I have another doubt, @Alvaro : what is the difference between the token got with POST http://idm:8000/oauth2/token (Keyrock Horizon) and the token got with GET http://idm:5000/v2.0/tokens (Keyrock Keystone)? Could you please explain me and give me examples? – Dalton Cézane Dec 12 '16 at 21:19
  • @fgalan , I want to secure the communication between Orion and other applications. For example: I want to allow an application to receive notifications from Orion just if it is authenticated and authorized. I already searched a bit, but I had no success yet. In the [Security Considerations](http://fiware-orion.readthedocs.io/en/master/user/security/index.html) section, I read that it is possible with PEP Proxy. But how can I do this related to notifications? Besides, can you also help me with the secure exchange of messages (HTTPS)? Thanks in advance. – Dalton Cézane Dec 12 '16 at 21:36
  • 1
    @Dalton, tokens created using Keystone API (/v2.0/tokens) are exactly that, Keystone tokens used normally to perform actions with Openstack services. On the other hand, tokens created using the OAuth2 API (/oauth2/token) are access tokens used to authenticate users in the scope of external applications following OAuth2 specification – Álvaro Alonso Dec 14 '16 at 10:46

3 Answers3

2

Regarding Orion, it depends on the interface to be secured, either the service API (i.e. the listening REST server that Orion runs typically at port 1026), the notification API or both:

  • Regarding service API:
    • Authentication & authorization: it can be implemented through PEP. The following documentation introduces two PEP alternative implementations. However, note that PEP doesn't work standalone, as it also needs the IDM and Access Control to work. I understand that @Alvaro can explain this topic in detail (with regards to Wilma PEP). It is out of my knowledge.
    • Encryption: it can be implemented by a proxy acting as HTTPS-to-HTTP bridge (e.g. ngnix) or by Orion itself using the -https CLI parameter (which works in combination with -key and -cert). This section of the documentation elaborates on it.
  • Regarding notification API:
    • Authentication & authorization: the current implementation of custom notifications (see "Custom notifications" section in the NGSIv2 specification) allows you to include custom HTTP headers that could be used for authentication (e.g. the X-Auth-Token header needed by a PEP instance protecting your endpoint). Note that this is currently done in an static way, i.e. Orion is not able to interact directly with IDM/AccessControl to set the X-Auth-Token value dynamically after expiration, etc. However, it would be possible to develop a process able to do this and set the proper header (if you are interested in this I'd recommend to check "How to add a custom header in outgoing notifications with Orion?" post).
    • Encryption: it can be implemented relaying in Rush component. This section of the documentation elaborates on it.

UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (i.e. without needing Rush).

fgalan
  • 11,732
  • 9
  • 46
  • 89
  • Thanks for the answer, @fgalan . About the first part (service API), I already had read the documentation ([Security Considerations](http://fiware-orion.readthedocs.io/en/master/user/security/index.html) , as explained in a previous comment. I have IdM (Keyrock) and PEP Proxy (Wilma) running in a docker container (I think Access Control - AuthZForce - is not necessary for now). My doubt is in a practical aspect, because we do not have examples of this integration (a "hands on guide" would be very useful). Also, the documentation is not clear about how to use -https (no examples). – Dalton Cézane Dec 13 '16 at 18:21
  • the link for "httpsPrepare.sh" in the [command line options page](http://fiware-orion.readthedocs.io/en/master/admin/cli/index.html#command-line-options) is not valid anymore. This makes more difficult configure the environment. About the second part, I will ask a separate question as you suggested me. – Dalton Cézane Dec 13 '16 at 18:25
  • It seems the link to the script is broken in the documentation. We will fix documentation but, in the meanwhile, the script can be found here: https://github.com/telefonicaid/fiware-orion/blob/master/test/functionalTest/httpsPrepare.sh – fgalan Dec 14 '16 at 09:16
  • could you please give me some more directions to understand how I can configure Orion and Nginx to exchange information in a secure way? I already have nginx installed and I am now configuring it. I have doubt related to how is the integration with Orion. Thanks. – Dalton Cézane Jan 10 '17 at 21:17
  • I understand you refer to use ngnix to implement the HTTPS-to-HTTP bridging described above. I don't have any example at hand but note this is a general topic, not Orion-speciic. There is plenty of literature about it (for example, http://stackoverflow.com/questions/3470290/nginx-redirect-https-to-http). – fgalan Jan 11 '17 at 12:27
  • I've already seen this information and I already have the Nginx configured. I need to understand well how is the process to be done in a way I can send HTTPS resquests for Orion and get HTTPS responses. Could you give me some more help? – Dalton Cézane Jan 11 '17 at 21:56
  • 1
    Not sure if I understand the question... If nginx is correctly configure to implement HTTPS-to-HTTP bridging (as I understand by your last comment), then you will send a request in HTTPS to nginx which, in secuence, will send the same request to Orion using HTTP. Then, Orion will response using HTTP to nginx which, in sequence, which forward the response to the original client in HTTPS. – fgalan Jan 12 '17 at 12:54
  • Thanks for explanation. I've configured nginx yesterday and now I'm able to communicate via HTTPS successfully with orion. I put the following settings in '.conf' file: ` proxy_pass http://orion:1026; proxy_read_timeout 90; proxy_redirect http://orion:1026 https://orion;` – Dalton Cézane Jan 14 '17 at 00:19
  • 1
    Great! Maybe you could edit your answer in this post in order to add the nginx configuration you mention above so other users can benefit of it (currently as a part of a comments thread it coculd be harder to find) – fgalan Jan 14 '17 at 19:41
  • 1
    @Dalton, it looks perfect. Thanks! – fgalan Jan 16 '17 at 17:16
  • Answer has been edited, to include relevant information regarding HTTPS notification native support in Orion 1.7.0 (to be released by the beginning of February 2017) – fgalan Jan 31 '17 at 14:18
2

Seeing the answer of @albertinisg here, I found a bash script for token request. I changed it to use with my local instances and it worked.

After registering my application at FIWARE Portal (more information here), I had to make a POST request to http://idm:8000/oauth2/token (idm is my local instance of Keyrock). With this valid token, I can access the content in Orion.

import requests, json, getpass

TOKEN_URL = "http://idm:5000/v2.0/tokens"

USER = raw_input("Username: ")
PASSWORD = getpass.getpass("Password: ")
PAYLOAD = "{\"auth\": {\"passwordCredentials\": {\"username\":\""+USER+"\", \"password\":\""+PASSWORD+"\"}}}"
HEADERS =  {'content-type': 'application/json'}
RESP = requests.post(TOKEN_URL, data=PAYLOAD, headers=HEADERS)

PEP Proxy (Wilma) configuration (config.js):

config.app_host = 'my_orion_ip'; //change to your Orion address
config.app_port = '1026'; //change to your Orion port

config.username = 'pep_proxy_credential_obtained_at_portal';
config.password = 'password_obtained_at_portal';

With the valid token and the PEP Proxy (Wilma) server running with this configuration, it is possible to control the access to Orion doing a request to PEP Proxy address. The PEP Proxy will redirect this request to IdM (Keyrock) so that IdM can verify the user/device credentials. If the credentials are valid, the user/device will receive a valid token and now PEP Proxy can allow the access to Orion.

For HTTPS communication, I configured a Nginx server to act like a reverse proxy (.conf file): 

server {
   listen       443;
   server_name  orion;

   ssl                  on;
   ssl_certificate      /etc/nginx/ssl/orion.crt;
   ssl_certificate_key  /etc/nginx/ssl/orion.key;
   ...
   ...
   location / {
      #root   orion:1026;   #/var/www/yourdomain.com;
       #index  index.php index.html index.htm;
       proxy_set_header        Host $host;
       proxy_set_header        X-Real-IP $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        X-Forwarded-Proto $scheme;

       # Fix the “It appears that your reverse proxy set up is broken" error.
       proxy_pass          http://orion:1026;
       proxy_read_timeout  90;
       proxy_redirect      http://orion:1026 https://orion;
   }
}

I made a simple tutorial about the integration of FIWARE Orion, Wilma and Keyrock: https://www.slideshare.net/daltoncezane/integrating-fiware-orion-keyrock-and-wilma

I hope this answer can help someone else.

Dalton Cézane
  • 3,672
  • 2
  • 35
  • 60
0

The following presentation shows you step by step how to create a FIWARE-Based IoT Platform and to secure it using a PEP Proxy, Keystone and Keypass.

https://docs.google.com/presentation/d/18LaWZSK4h2wncPF6hNAwK5MToLvJesR3XLrzsqrsmrw/edit?usp=sharing

I hope this helps

thanks

Jose Manuel Cantera
  • 853
  • 4
  • 4