I am trying to get data into Azure Iot-Hub using a SARA-R410-02B module (NB-IoT) via MQTT or HTTPS. Microsofts MQTT guide for IoT-Hub states that:
For the Username field, use {iothubhostname}/{device_id}/?api-version=2018-06-30, where {iothubhostname} is the full CName of the IoT hub.
For example, if the name of your IoT hub is contoso.azure-devices.net and if the name of your device is MyDevice01, the full Username field should contain: contoso.azure-devices.net/MyDevice01/?api-version=2018-06-30
For the Password field, use a SAS token. The format of the SAS token is the same as for both the HTTPS and AMQP protocols:
SharedAccessSignature sig={signature-string}&se={expiry}&sr={URL-encoded-resourceURI}
This means that the username (and password) will exceed the 30-character limitation that i have on the SARA-R410. Is there any way around this? I have the same limitation when it comes to HTTPS.
I have found that the password limitation can be solved by using x.509 certificates, but the username remain the same.
If your device is capable of X.509 authentication then it will resolve your password issue but, as you note, it will not resolve your user identity problem. You might try it without the api parameter and see if it will assume a default. That would give you a few characters to play with if it worked.
Failing that, you would need to set up an application to receive the telemetry and forward it to the hub. Such as publish everything to a mosquito server and have an app subscribe to it and forward. Unfortunately adds more administration and points of failure.
I´ve tried without the api parameter for the HTTP, and it does not work. I have some problems with coverage, so i still haven't tried with MQTT, but I am guessing that the result will be the same?
I got an answer from u-blox. They say it can be worked around by implementing the MQTT protocol using sockets on the SARA-R410. This seems like the best solution.
Related
I am using RabbitMQ with SSL/TLS in order to allow confidentiality, integrity and authentication. The message sent is encrypted using sender and broker certificates between sender and broker and then encrypted using broker and receiver certificates between broker and receiver.
My configuration file looks like this:
{ssl, [{versions, ['tlsv1.2']}]},
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "...ca_certificate.pem"},
{certfile, "...certificate_signed.pem"},
{keyfile, "...private_key.pem"},
{password, "pass"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{versions, ['tlsv1.2']}]}
]}
However this is not enough because I need that a receiver/consumer to be able to assure the sender/publisher identification, like described in here. At the receiver I only can access certificate information from the broker certificate.
A solution to that would be to use user-id message property, like i found in the documentation.
This property, sent in every message, will make sure that a message will only be published successfully if the user-id property is equal to the username used for that user to login in the RabbitMQ broker. Since I am already using certificates for SSL I will probably use them also to serve as user authentication with the broker as described here
My problem:
I am using RabbitMQ for communication between agents in a simulation platform and agents are created dynamically, so I would need for dynamic user creation at RabbitMQ which seems not to be possible.
Does someone know if I can do dynamic user creation somehow? Or suggest another approach to my authentication problem?
Thanks
The user-id property is not a security feature. It just sets information in the message header so that you can know who produced the message.
If you want authentication and autorization using certificates, you can follow the directives in the article you linked (https://weblogs.asp.net/jeffreyabecker/Using-SSL-client-certificates-for-authentication-with-RabbitMQ), especially in the section "Configuring Client authentication via certificates".
In short, you need to install the rabbitmq-auth-mecanism-ssl plugin (see here https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl/blob/master/README.md) and configure it following the documentation. You also need to create a passwordless internal user in RabbitMQ that has the same CN (common name) as your certificate to be able to give it authorizations.
If you want everything to be automated (as it should be), each time you want to create a new agent, you have to :
Generate a client key/certificate pair using openssl (see : https://superuser.com/questions/226192/avoid-password-prompt-for-keys-and-prompts-for-dn-information). Your key needs to be trusted by the same certificate authority that RabbitMQ trusts (in your SSL setup).
Create a user in RabbitMQ using rabbitmqctl (https://www.rabbitmq.com/management.html)
In my view, this is a very secure setup if you protect the generated keys so that only the agents have access to them.
On this page: https://developers.docusign.com/esign-rest-api/code-examples/webhook-status, the last section is called: There’s more. And there you can read that there are 3 ways to check that DocuSign is making the web hook request:
you can check the SSL/TSL certificate of the webhook caller (DocuSign).
set DocuSign to digitally sign the data
DocuSign publishes the IP address ranges
If we examine all these options we have:
This is false, you can't check the SSL certificate of who is making the request to you. SSL certs are designed to be used by clients connecting to servers to check that there is no man in the middle attack. And only the client can verify the cert of a server, not the other way around.
I can't find on the page any mention how to set the signature, and most importantly, how to check it.
The link provided to the Public IPs: https://trust.docusign.com/en-us/trust-certifications/ip-ranges/, does not work.
My questions are:
Where can I find some documentation about the signature process?
Where is the page with the public IPs?
The best way to do that is to create an HMAC key and use that to confirm that the calls are authentic.
Here is a full article on how to do that - https://developers.docusign.com/esign-rest-api/guides/connect-hmac
Thank you for reporting the out of date documentation. I've filed an internal bug report, DEVDOCS-1565, to have it updated.
As Inbar says in his answer, these days, the best solution is HMAC. You can also combine it with Basic Authentication if you're using DocuSign webhooks at the account level.
HMAC gives you the guarantees that the message did originate from DocuSign and that the message was not altered in transmission.
Don't set up a server on the Internet
The old way of receiving webhook messages was to set up a server that is accessible on the public internet. Due to the costs and Information Security issues creating and maintaining a service on the Internet, these days I suggest that you skip it.
Instead, use a cloud PAAS (AWS, Azure, Google Cloud, etc etc) to receive and queue the messages. Then, from behind your firewall, you can dequeue and process them. (With no changes to your firewall.)
See the Connect- series of code examples.
Mutual TLS for checking the client's certificate
Note that you can check the certificate of a client. This feature of the TLS (ne SSL) protocol is called Mutual TLS and is supported by DocuSign webhooks.
But HMAC is better since it also guarantees message integrity.
I have created an azure signalr service with serverless option.
The negotiate function is able to generate JWT token with 'x-ms-client-principal-name' and the connection gets established without issues.
I have referred https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-concept-serverless-development-config and the function is able to send events to a particular userid/groups.
I have been asked to secure the client - server communication.
I am new to security domain. I referred https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-tutorial-authenticate-azure-functions this link but I am not able to configure the given sample app and not able to understand the concept.
My scenario is: I have a Client .net web app in which user can login using organization account as well as using google.
This app calls azure signlar negotiate function with userID and the deviceId in which it is interested to receive events through signalR function.
Signalr function gets events from the azure eventhub trigger and sends it to the groups.
Please help me to increase the security of this application. Is the token received from negotiate function sufficient as far as security is concerned?
Can any unauthorized user connect to my azure subscribeToGroup/sendEvent functions with the acquired jwt token from negotiate?
I am trying to use this https://github.com/Azure/azure-functions-signalrservice-extension in which idToken and claimTypeList are additional parameters along with x-ms-client-principal-name(userid). But I am not able to understand this with respect to security.
The client in this sample is index.html with auth.js. But how it is said to be secure is not understandable.
Please help and direct me for the correct setup and code.
We are having issues with Connect notifications from our DocuSign demo account.We are not able to receive any updates from our Connect configuration. Though, when I republished the XML from Connect logs, I did receive a Connect update to a specified URL.
When I created new envelopes using API as well as from DocuSign account itself, I never got any notifications to the same URL.I do not even see a Connect log.
We do not have any issues with Connect notifications for our DocuSign live account.
We have never experienced this issue before with Connect updates from our DocuSign demo account.
Please advise.
Just a hunch - do you use http or https? connect can only work over port 443 with a valid SSL certificate. If you're on localhost - you may need to get a temp certificate or something like that but also using azure websites is good way to avoid this issue since they're pretty much just as good as working on your localhost
My server must receive data from a number of devices who have downloaded my application through an app store or otherwise trusted channel. I need a method to verify that data my server receives is actually from these devices. The server does not have access to a list of these devices ahead of time.
What are some popular ways to accomplish this?
Depends on the platform. The accepted answer to the linked question offers the idea (of using SSL for authentication).
I'd like to add to that answer, that if the client has some API with non-exportable private keys (either hardware-based or encrypted like CryptoAPI certificate storage in Windows), then you can store client certificates there.