Security considerations
Authentication and Authorization
Orion doesn't provide "native" authentication nor any authorization mechanisms to enforce access control. However, authentication/authorization can be achieved the access control framework provided by FIWARE GEs.
More specifically, Orion is integrated in this framework using the FIWARE PEP Proxy GE. At the present moment, there are two GE implementantions (GEis) that can work with Orion Context Broker:
In the above links you will find the documentation about how to use both GEis.
HTTPS API
Orion Context Broker supports HTTPS, using the -https
options (which in addition needs the
-key
and -cert
options, to especify the files containing the private key
and certificates for the server, respectively). Check the command line
options section in the administration manual for
details.
Note that current Orion version cannot run in both HTTP and HTTPS at the
same time, i.e. using -https
disables HTTP.
HTTPS notifications
Apart from using HTTPS in the API server exported by Orion, you can also use HTTPS in notifications. In order to do so you have to use the "https" protocol schema in URL in your subscriptions, e.g.
NGSIv2:
...
"url": "https://mymachime.example.com:1028/notify"
...
NGSIv1:
...
"reference": "https://mymachime.example.com:1028/notify"
...
If you use Rush relayer (see how to run Orion using Rush) then Orion to Rush request
is sent in HTTP, then Rush will encrypt it using HTTPS towards the final receiver. If you don't use Rush
relayer, then Orion will send HTTPS notification natively. In that case, note that by default Orion will
reject connections to non-trusted endpoints (i.e. the ones which which certificate cannot be authenticated
with known CA certificates). If you want to avoid this behaviour you need to use the -insecureNotif
CLI parameter but note that doing so is an insecure configuration (e.g. you could suffer
man-in-the-middle attacks).