Security considerations
Authentication and Authorization
Orion doesn't provide "native" authentication nor any authorization mechanisms to enforce access control. However, authentication/authorization can be achieved the access control framework provided by FIWARE GEs.
More specifically, Orion is integrated in this framework using the FIWARE PEP Proxy GE. At the present moment, there are two GE implementations (GEis) that can work with Orion Context Broker:
In the above links you will find the documentation about how to use both GEis.
HTTPS API
Orion Context Broker supports HTTPS, using the -https
options (which in addition needs the
-key
and -cert
options, to specify the files containing the private key
and certificates for the server, respectively). Check the command line
options section in the administration manual for
details.
Note that current Orion version cannot run in both HTTP and HTTPS at the
same time, i.e. using -https
disables HTTP.
HTTPS notifications
Apart from using HTTPS in the API server exported by Orion, you can also use HTTPS in notifications. In order to do so you have to use the "https" protocol schema in URL in your subscriptions, e.g.
...
"url": "https://mymachime.example.com:1028/notify"
...
Orion will send HTTPS notification natively. Note that by default Orion will
reject connections to non-trusted endpoints (i.e. the ones which certificate cannot be authenticated
with known CA certificates). If you want to avoid this behaviour you need to use the -insecureNotif
CLI parameter but note that doing so is an insecure configuration (e.g. you could suffer
man-in-the-middle attacks).