This page last changed on Mar 05, 2012 by vincentkriek.

Hi,

We are currently working on an internship in which the goal will be to integrate authentication and authorization into the OpenRemote project. We want to secure the connection between the client application and the controller and we would like to do this without a username and password.

The global idea is to be able to authorize devices which are uniquely recognized in the controller. For this we are going to use SSL client certificates to identify clients.

We have already researched this topic a bit and documented this. Attached to this message is a PDF with our research document about the security.

With kind regards,
Melroy van den Berg
&
Vincent

Security research: https://docs.google.com/document/d/1N2f_zkaP-EKBfqHxviSA4L1fPBcuooiU23WXIWRvDcg/edit


We have made some progress these weeks, proof of concept is now up and running. Code can be found on github. A brief overview what has been done this week can be found here.

Posted by vincentkriek at Mar 16, 2012 07:45

This looks very interesting. Thanks and keep up the good work
Beside the certificate generation and exchange, did you already include the group assignment within the designer?
This is not new and a few people already asked for it.
--Marcus

Posted by mredeker at Mar 16, 2012 08:49

Hi Marcus!

We have not yet included the group assignment within the designer, this will be done further in the project. The first step is being able to authorize people to use the entire ORB after which groups will be implemented.

Posted by vincentkriek at Mar 16, 2012 08:54

Hi,

We have an update to announce. We created your first stable release (v1.1) of our OpenRemote Security project.

We created 2 diagrams to explain our basic software design.

The image below is a flowchart which represents the first initial request of the client:

The second image is a sequence diagram about how the client ask for permissions and the administrator approves it:

We use GitHub/Git to host our files the tags can be found here:
https://github.com/DomoTop/DomoTop/tags

Version 1.1 is the latest tag.

We also created a War & APK for you.
OpenRemote Controller (WAR): http://openlaptop.nl/openremote/controller.war (Right click -> Save as...)
OpenRemote Android Application (APK): http://openlaptop.nl/openremote/OpenRemoteConsole.apk (Right click -> Save as...)

Note :
Only installing the WAR is not enough, so please follow our README (Installing) line by line at: https://github.com/DomoTop/DomoTop/tree/master/Product

If you have any remarks and/or additions we like to know them. You can either place it on this topic or create a new issue on our GitHub page:
https://github.com/DomoTop/DomoTop/issues?state=open

We would like to hear from you soon.

Thanks in advance.

Kind regards,

Vincent Kriek
&
Melroy van den Berg

Posted by danger89 at Apr 20, 2012 12:43

Guys, we would like to integrate your code in out opensource code base.
I think Juha already mentioned our "code contribution formular".
Once you have signed we can talk about integration.

We also want to use certificates to authenticate a controller against a designer account so that the controller can publish discovered devices to the designer and perform syncing automatically without user interaction once a controller is linked to an account.

All the handling of certificates is supposed to move into Beehive and there should be REST/JSON interface where you can create certificates and download/delete them.
The frontend to deal with the account/certificate service should be integrated into the designer.

I will publish some more info about this in a new forum thread soon.

Posted by mredeker at May 22, 2012 09:49

Hi Marcus!

We are very excited that you are so positive about our additions. We would love to work with you to get our changes integrated. We are currently working with our employer to get the code contribution formular signed and out of the way.

However we have a few remarks about moving the certificates from the controller to the designer. Having them on the controller was a decision we made that we think is correct. Let me explain.

In our system we have a "database" of clients on the Controller. These clients have requested access to the controller and might have gotten access as well. They have gotten certificates created specifically for this installation of the OpenRemote controller. It allows encrypted traffic between the Controller and the client, and just that controller and client.

Having this in the beehive feels counterintuitive to us. Why would you want to have a database of all the users in the beehive? Isn't it more logical to keep them in the controller? Our question is, what are your reasons for wanting that in the Beehive and designer?

Posted by vincentkriek at May 22, 2012 12:27

A controller is not the first element in the chain, it's a user account from the Designer.
The user there (maybe an installer) has multiple installations and each installation needs a controller.
Also each controller is controlled by clients which have to be authorized by the original user or
somebody who has the needed permission todo so.

We don't want to have different interfaces for maintaining things which means all can be done from
the Designer and a user does not have to access a Controller webpage to maintain certificates.
The current Controller "Sync page" will be removed also.

From an installer point of view, he just want's to setup everything for his paying customer and not
have the customer have to deal with permissions on the Controller. Maybe he want's to charge if the
customer wants to add a new device to control the house.

Please read my new post for more answers.

Posted by mredeker at May 22, 2012 13:04

Thanks for the explanation Marcus! where can I find your new post, I don't see it anywhere?

Posted by vincentkriek at May 22, 2012 13:54

I am currently working on it
As soon as it's online, I will post a link here.

Posted by mredeker at May 22, 2012 13:57

The new post can be found here: http://www.openremote.org/display/forums/Beehive+AccountService%2C+Security+and+Certificates
Just post any comments there so we can brainstorm some more and create a "good foundation" for ongoing development.

Posted by mredeker at May 22, 2012 15:32

Guys,

some questions:

  • Is the first client request without SSL connection, since certificate is not there yet?
  • Does the client create the private key and the controller only signs the CSR or does the controller creates key and sign certificate?
  • Is the server.jks defined in server.xml the same you reference in CertificateServiceImpl ?
  • Where do you use the HSQLDB?

--Marcus

Posted by mredeker at May 25, 2012 16:26

Hey Marcus,

  • This is correct.
  • Correct as well, client creates a keypair and a CSR, controller signs that CSR which creates a certificate and sents that back. This CSR and certificate only contain the public key
  • Correct
  • We use HSQLDB to keep track of settings and current approved users. We use a TomCat realm to check if a client certificate is valid when a client connects, this uses HSQLDB as well.

Vincent

Posted by vincentkriek at May 28, 2012 09:36

Ok, thanks for the clarification.

I am currently working on the Beehive "UserAccountService" which is going to be an independet REST/JSON API to handle all kinds of user/account/certificate issues. Beehive is already using MySQL for data storage, so it would be easy to extend the "account", "controller" and "user" tables to hold extra information which are used by your services. It should not be to hard to move your CertificateService to Beehive. Please use the other thread for further information and discussions on that topic.

Posted by mredeker at May 28, 2012 09:54

what's the actual status ?

Is it possible to secure the controller with client authentication ?
How Can I use client authentication from my android app ?
thanks,
Klaus

Posted by klaus1 at Apr 16, 2015 11:05

With the stuff mentioned earlier in this thread it should be possible.
The whole security and certificate stuff is not integrated yet.

Posted by mredeker at Apr 16, 2015 11:12

Correct, we haven a proof of concept. And we even implement this proof of concept 3 years ago.

Please check out the code in GH: https://github.com/DomoTop/DomoTop/tree/master/Product

I tried to merge the changes into the OpenRemote code archive, but back in the days OpenRemote didn't allow to do so. Because "they had a different opinion of OpenRemote security".

Hopefully they changed there minds?

  • Melroy

Developer of OpenRemote Security using TLS (SSL) & certificate authority

Posted by danger89 at Apr 16, 2015 13:39

Downloading the war file tells me: The requested URL /openremote/controller.war was not found on this server.

Is it possible to run hqsldb and new controller on my raspberrypi too?
At the moment I have ssl connection on my tomcat and tomcat user in users.xml with standard openremote controller working.

Rest services tells correctly that authentication is needed:

description This request requires HTTP authentication ()

Id there sny security problem?

thanks,
Klaus

Posted by klaus1 at Apr 16, 2015 19:32
Document generated by Confluence on Jun 05, 2016 09:31