[hono-dev] Questions regarding Certificate Based Authentication in Hono

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[hono-dev] Questions regarding Certificate Based Authentication in Hono

From: "Poehn Sebastian (INST/ECS4)" <Sebastian.Poehn@xxxxxxxxxxxx>
Date: Mon, 14 May 2018 13:38:28 +0000
Accept-language: en-US, de-DE
Delivered-to: hono-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/hono-dev>
List-help: <mailto:hono-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AdPriML0VlTwldXNRe6piHomQFTAhQ==
Thread-topic: Questions regarding Certificate Based Authentication in Hono

Hello Hono project

I just had a look on the upcoming support for certificate based authentication in 0.6. This looks perfectly built for our purposes. Very good work, really looking forward for 0.6 release so we can use this cool new feature.

Sadly there is no comprehensive Getting Started or User Guide for this particular feature yet.

So I will summarize how I interpreted the pieces I have discovered:

* Setup cert based authentication for a tenant
Import the CA certificate's public key and subject DN for the tenant
https://www.eclipse.org/hono/api/tenant-api/#trusted-ca-format

* Setup cert based authentication for a device
Create a credential object with:
"type": "x509-cert"
"auth-id": Subject DN of the device specific certificate
https://www.eclipse.org/hono/api/credentials-api/#x-509-certificate

Next I was wondering how the authentication/authorization workflow is:

1) Device establishes connection to Protocol Adapter, including the device certificate
2) Protocol Adapter extracts the certificate Issuer DN
3) Protocol Adapter performs lookup on tenant API for the DN (subject-dn)
4) Tenant API returns the tenant, including the CA cert's public key
5) Protocol Adapter verifies the device certificate against the CA cert's public key
6) Protocol Adapter extracts the certificate Subject DN
7) Protocol Adapter performs lookup on credentials API for the DN (auth-id)
8) Credentials API returns the credentials
9) Now the device-id is known and verified

In addition I have some advanced questions:
* As of now trusted-ca contains one certificate. How can an expiry of the CA certificate be handled (as one would like to rotate the public key too)?
* Is it required to import the CA certificates to the Java trust store in addition to the tenant API?
* Is it possible to use a sub CA for the trusted-ca if a certificate hierarchy with multiple CAs is used (e.g.  Root CA <-> Sub CA A <-> Sub CA A1 <-> Device)
* What about certificates contained in the Java trust store? Is it possible to omit the public-key for those?

Best regards
Sebastian Pöhn

Follow-Ups:
- Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
  - From: Hudalla Kai (INST/ECS4)

Prev by Date: Re: [hono-dev] Commands using the HTTP adapter
Next by Date: Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
Previous by thread: [hono-dev] Build failed in Jenkins: Hono-Nightly #629
Next by thread: Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
Index(es):
- Date
- Thread

Breadcrumbs