{"info":{"_postman_id":"8ddc19dc-bc5f-47a4-82a9-94640db14a62","name":"FIWARE PEP Proxy","description":"

This tutorial uses the FIWARE Wilma PEP Proxy combined with Keyrock to secure access to endpoints exposed by\nFIWARE generic enablers. Users (or other actors) must log-in and use a token to gain access to services. The application\ncode created in the previous tutorial is expanded to authenticate\nusers throughout a distributed system. The design of FIWARE Wilma - a PEP Proxy is discussed, and the parts of the\nKeyrock GUI and REST API relevant to authenticating other services are described in detail.

The docker-compose files for this tutorial can be found on GitHub:

$\"GitHub\"$ FIWARE 404: Securing Microservices with a PEP Proxy

Securing Microservices with a PEP Proxy

\n
\"Oh, it's quite simple. If you are a friend, you speak the password, and the doors will open.\"
\n
— Gandalf (The Fellowship of the Ring by J.R.R Tolkien)
\n

The previous tutorial demonstrated that it is possible to Permit or Deny access\nto resources based on an authenticated user identifying themselves within an application. It was simply a matter of the code following\na different line of execution if the access_token was not found (Level 1 - Authentication Access), or confirming that a given access_token\nhad appropriate rights (Level 2 - Basic Authorization). The same method of securing access can be applied by placing a Policy Enforcement\nPoint (PEP) in front of other services within a FIWARE-based Smart Solution.

A PEP Proxy lies in front of a secured resource and is an endpoint found at \"well-known\" public location. It serves\nas a gatekeeper for resource access. Users or other actors must supply sufficient information to the PEP Proxy to allow their request\nto succeed and pass through the PEP proxy. The PEP proxy then passes the request on to the real location of the\nsecured resource itself - the actual location of the secured resource is unknown to the outside user - it could be held\nin a private network behind the PEP proxy or found on a different machine altogether.

FIWARE Wilma is a simple implentation of a PEP proxy designed to work with the FIWARE Keyrock Generic Enabler. Whenever a user tries to gain access to the resource behind the PEP proxy, the\nPEP will describe the user's attributes to the Policy Decision Point (PDP), request a security decision, and enforce the decision.\n(Permit or Deny). There is mimimal disruption of access for authorized users - the response received is the same as if they had\naccessed the secured service directly. Unauthorized users are simply returned a 401 - Unauthorized response.

Standard Concepts of Identity Management

The following common objects are found with the Keyrock Identity Management database:

User - Any signed up user able to identify themselves with an eMail and password. Users can be assigned\n rights individually or as a group
Application - Any securable FIWARE application consisting of a series of microservices
Organization - A group of users who can be assigned a series of rights. Altering the rights of the organization\n effects the access of all users of that organization
OrganizationRole - Users can either be members or admins of an organization - Admins are able to add and remove users\n from their organization, members merely gain the roles and permissions of an organization. This allows each organization\n to be responsible for their members and removes the need for a super-admin to administer all rights
Role - A role is a descriptive bucket for a set of permissions. A role can be assigned to either a single user\n or an organization. A signed-in user gains all the permissions from all of their own roles plus all of the roles associated\n to their organization
Permission - An ability to do something on a resource within the system

Additionally two further non-human application objects can be secured within a FIWARE application:

IoTAgent - a proxy between IoT Sensors and the Context Broker
PEPProxy - a middleware for use between generic enablers challenging the rights of a user.

The relationship between the objects can be seen below - the entities marked in red are used directly within this tutorial:

$\"\"$

Video : Introduction to Wilma PEP Proxy

$\"\"$

Click on the image above to see an introductory video

Prerequisites

Docker

To keep things simple both components will be run using Docker. Docker is a\ncontainer technology which allows to different components isolated into their respective environments.

To install Docker on Windows follow the instructions here
To install Docker on Mac follow the instructions here
To install Docker on Linux follow the instructions here

Docker Compose is a tool for defining and running multi-container Docker applications. A\nYAML file is used\nconfigure the required services for the application. This means all container services can be brought up in a single\ncommand. Docker Compose is installed by default as part of Docker for Windows and Docker for Mac, however Linux users\nwill need to follow the instructions found here

Cygwin

We will start up our services using a simple bash script. Windows users should download cygwin to provide a\ncommand line functionality similar to a Linux distribution on Windows.

Architecture

This application protects access to the existing Stock Management and Sensors-based application by adding PEP Proxy instances around the services created in previous tutorials and uses data pre-populated into the MySQL database used by Keyrock. It\nwill make use of four FIWARE components - the Orion Context Broker,the IoT Agent for UltraLight 2.0, the Keyrock Generic enabler\nand adds one or two instances Wilma PEP Proxy dependent upon which interfaces are to be secured.\nUsage of the Orion Context Broker is sufficient for an application to qualify as “Powered by FIWARE”.

Both the Orion Context Broker and the IoT Agent rely on open source MongoDB technology to keep persistence of the information they hold. We will also be using the dummy IoT devices created in the previous tutorial. Keyrock uses its own MySQL database.

Therefore the overall architecture will consist of the following elements:

The FIWARE Orion Context Broker which will receive requests using NGSI
The FIWARE IoT Agent for UltraLight 2.0 which will receive southbound requests using NGSI and convert them to UltraLight 2.0 commands for the devices
FIWARE Keyrock offer a complement Identity Management System including:
- An OAuth2 authentication system for Applications and Users
- A website graphical front-end for Identity Management Administration
- An equivalent REST API for Identity Management via HTTP requests
\n
FIWARE Wilma is a PEP Proxy securing access to the Orion and/or IoT Agent microservices
The underlying MongoDB database :
- Used by the Orion Context Broker to hold context data information such as data entities, subscriptions and registrations
- Used by the IoT Agent to hold device information such as device URLs and Keys
\n
A MySQL database :
- Used to persist user identities, applications, roles and permissions
\n
The Stock Management Frontend does the following:
- Displays store information
- Shows which products can be bought at each store
- Allows users to \"buy\" products and reduce the stock count.
- Allows authorized users into restricted areas
\n
A webserver acting as set of dummy IoT devices using the UltraLight 2.0 protocol running over HTTP - access to certain resources is restricted.

Since all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run from exposed ports.

The specific architecture of each section of the tutorial is discussed below.

Start Up

To start the installation, do the following:

git clone git@github.com:Fiware/tutorials.PEP-Proxy.git\ncd tutorials.PEP-Proxy\n\n./services create\n

\n
Note The initial creation of Docker images can take up to three minutes
\n

Thereafter, all services can be initialized from the command line by running the services Bash script provided within the repository:

./services <command>\n

Where <command> will vary depending upon the exercise we wish to activate.

\n
:information_source: Note: If you want to clean up and start over again you can do so with the following command:
\n
./services stop\n
\n

Dramatis Personae

The following people at test.com legitimately have accounts within the Application

Alice, she will be the Administrator of the Keyrock Application
Bob, the Regional Manager of the supermarket chain - he has several store managers under him:
- Manager1
- Manager2
\n
Charlie, the Head of Security of the supermarket chain - he has several store detectives under him:
- Detective1
- Detective2
\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Name	eMail	Password
alice	alice-the-admin@test.com	`test`
bob	bob-the-manager@test.com	`test`
charlie	charlie-security@test.com	`test`
manager1	manager1@test.com	`test`
manager2	manager2@test.com	`test`
detective1	detective1@test.com	`test`
detective2	detective2@test.com	`test`

The following people at example.com have signed up for accounts, but have no reason to be granted access

Eve - Eve the Eavesdropper
Mallory - Mallory the malicious attacker
Rob - Rob the Robber

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Name	eMail	Password
eve	eve@example.com	`test`
mallory	mallory@example.com	`test`
rob	rob@example.com	`test`

Two organizations have also been set up by Alice:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Name	Description	UUID
Security	Security Group for Store Detectives	`security-team-0000-0000-000000000000`
Management	Management Group for Store Managers	`managers-team-0000-0000-000000000000`

One application, with appropriate roles and permissions has also been created:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value
Client ID	`tutorial-dckr-site-0000-xpresswebapp`
Client Secret	`tutorial-dckr-site-0000-clientsecret`
URL	`http://localhost:3000`
RedirectURL	`http://localhost:3000/login`

To save time, the data creating users and organizations from the previous tutorial has been downloaded and is automatically persisted to the MySQL\ndatabase on start-up so the assigned UUIDs do not change and the data does not need to be entered again.

The Keyrock MySQL database deals with all aspects of application security including storing users, password etc; defining access rights and dealing with OAuth2 authorization protocols.\nThe complete database relationship diagram can be found here

To refresh your memory about how to create users and organizations and applications, you can log in at http://localhost:3005/idm\nusing the account alice-the-admin@test.com with a password of test.

$\"\"$

and look around.

\n","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[{"content":"Securing Microservices with a PEP Proxy","slug":"securing-microservices-with-a-pep-proxy"},{"content":"Prerequisites","slug":"prerequisites"},{"content":"Architecture","slug":"architecture"},{"content":"Start Up","slug":"start-up"}],"owner":"513743","collectionId":"8ddc19dc-bc5f-47a4-82a9-94640db14a62","publishedId":"RWaHxUgP","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF7059"},"publishDate":"2020-01-02T11:02:20.000Z"},"item":[{"name":"Logging In to Keyrock","item":[{"name":"Create token with Password","id":"8caf9b30-5af4-45e8-855c-b717a01b03f4","request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"name\": \"alice-the-admin@test.com\",\n \"password\": \"test\"\n}"},"url":"http://localhost:3005/v1/auth/tokens","description":"

The following example logs in using the Admin Super-User - it is the equivalent of using the log-in screen of the GUI.

The response header returns an X-Subject-token which identifies who has logged on the application.\nThis token is required in all subsequent requests to gain access.

\n","urlObject":{"protocol":"http","path":["v1","auth","tokens"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"8caf9b30-5af4-45e8-855c-b717a01b03f4"},{"name":"Get token info","id":"990969ec-0c34-435a-912b-ad1b2adfe669","request":{"method":"GET","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"},{"key":"X-Subject-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/auth/tokens","description":"

You can use the long-lasting X-Auth-token=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa to pretend to be Alice throughout this\ntutorial.

The presence of a (time-limited) token is sufficient to find out more information about the user.\nTo find information about Bob, use the long-lasting token X-Subject-token=bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb

This request indicates that the\nuser authorized with the token aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa (i.e Alice) is enquiring about the user holding the token aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa i.e Bob

The response will return the details of the associated user. As you can see Bob holds a long-lasting token until 2026.

\n","urlObject":{"protocol":"http","path":["v1","auth","tokens"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"990969ec-0c34-435a-912b-ad1b2adfe669"}],"id":"f99e0d24-7b24-45f7-853d-90125242973d","description":"

Enter a username and password to enter the application. The default super-user has the values alice-the-admin@test.com and test. The URL https://localhost:3443/v1/auth/tokens should also work in a secure system.

\n","event":[{"listen":"prerequest","script":{"id":"b886ca21-2e87-489c-be24-cfa0df809954","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"30bf17a0-2033-4794-8351-f34ce2b67811","type":"text/javascript","exec":[""]}}],"_postman_id":"f99e0d24-7b24-45f7-853d-90125242973d"},{"name":"Managing PEP Proxies and IoT Agents","item":[{"name":"PEP Proxy CRUD Actions","item":[{"name":"Create a PEP Proxy","id":"f4347bdf-041c-4e2a-894d-5e6baf917b1f","request":{"method":"POST","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies","description":"

To create a new PEP Proxy account within an application , send a POST request to the //v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies endpoint along with the X-Auth-token header from a previously logged in administrative user.

Provided there is no previously existing PEP Proxy account associated with the application, a new account will be created with a unique id and password and the values will be returned in the response.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","pep_proxies"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"f4347bdf-041c-4e2a-894d-5e6baf917b1f"},{"name":"Read PEP Proxy Details","id":"62b07008-1550-45ec-9176-60f2d867136b","request":{"method":"GET","header":[{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies/","description":"

Making a GET request the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies/ endpoint will return the details of the associated PEP Proxy Account. The X-Auth-token must be supplied in the headers.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","pep_proxies",""],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"62b07008-1550-45ec-9176-60f2d867136b"},{"name":"Reset Password of PEP Proxy","id":"545f1cfb-382f-4a9d-902b-5acb0a6045e2","request":{"method":"PATCH","header":[{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies","description":"

To renew the password of a PEP Proxy Account, make a PATCH request to the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies endpoint will return the details of the associated PEP Proxy Account. The X-Auth-token must be supplied in the headers.

The response returns a new password.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","pep_proxies"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"545f1cfb-382f-4a9d-902b-5acb0a6045e2"},{"name":"Delete PEP Proxy","id":"8ac7334c-397b-4ec2-8b2c-b7fc8352340a","request":{"method":"DELETE","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Type","value":"{{Content-Type}}"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies","description":"

An existing PEP Proxy Account can be deleted by making a DELETE request to the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies endpoint. The X-Auth-token must be supplied in the headers.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","pep_proxies"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"8ac7334c-397b-4ec2-8b2c-b7fc8352340a"}],"id":"e47a1943-7390-468d-9b5f-915d8c6b4bcd","description":"

GUI

Once signed-in, users are able to create and update PEP Proxies associated to their applications for themselves.

REST API

Alternatively, the standard CRUD actions are assigned to the appropriate HTTP verbs (POST, GET, PATCH and DELETE) under the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/pep_proxies endpoint.

\n","event":[{"listen":"prerequest","script":{"id":"387e4c2b-2ca2-4f82-9062-5cad900bcb98","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"2b873967-538b-4fe3-839c-e7eeffb7d9ba","type":"text/javascript","exec":[""]}}],"_postman_id":"e47a1943-7390-468d-9b5f-915d8c6b4bcd"},{"name":"IoT Agent CRUD Actions","item":[{"name":"Create an IoT Agent","id":"9213ec96-2299-41ec-8faa-6d7586884b65","request":{"method":"POST","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"},{"key":"Content-Type","value":"{{Content-Type}}"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents","description":"

To create a new IoT Agent account within an application, send a POST request to the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents endpoint along with the X-Auth-token header from a previously logged in administrative user.

A new account will be created with a unique id and password and the values will be returned in the response.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","iot_agents"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"9213ec96-2299-41ec-8faa-6d7586884b65"},{"name":"Read IoT Agent details","id":"eec9212b-0a83-4021-9208-15a3317831af","request":{"method":"GET","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents/iot_sensor_00000000-0000-0000-0000-000000000000","description":"

Making a GET request the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents/iot_sensor_00000000-0000-0000-0000-000000000000 endpoint will return the details of the associated IoT Agent Account. The X-Auth-token must be supplied in the headers.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","iot_agents","iot_sensor_00000000-0000-0000-0000-000000000000"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"eec9212b-0a83-4021-9208-15a3317831af"},{"name":"List of IoT Agents","id":"94a55658-c5b2-43de-9b31-22fb6100a98e","request":{"method":"GET","header":[{"key":"Accept","value":"application/json"},{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents","description":"

A list of all IoT Agents associated with an application can be obtained by making a GET request the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents endpoint. The X-Auth-token must be supplied in the headers.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","iot_agents"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"94a55658-c5b2-43de-9b31-22fb6100a98e"},{"name":"Reset Password of IoT Agent","id":"810362a0-89de-46a1-92e3-dca60b94bfac","request":{"method":"PATCH","header":[{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents/iot_sensor_00000000-0000-0000-0000-000000000000","description":"

To renew the password of an individual IoT Agent Account, make a PATCH request to the /v1/applications/tutorial-dckr-site-0000-xpresswebapp//iot_agents/iot_sensor_00000000-0000-0000-0000-000000000000 endpoint. \nThe X-Auth-token must be supplied in the headers.

The response returns a new password.

\n","urlObject":{"protocol":"http","path":["v1","applications","tutorial-dckr-site-0000-xpresswebapp","iot_agents","iot_sensor_00000000-0000-0000-0000-000000000000"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"810362a0-89de-46a1-92e3-dca60b94bfac"},{"name":"Delete an IoT Agent","id":"31aa4636-fb29-496e-93b4-646570fef140","request":{"method":"DELETE","header":[{"key":"Content-Type","value":"application/json"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:3005/v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents/iot_sensor_00000000-0000-0000-0000-000000000000","description":"

An existing IoT Agent Account can be deleted by making a DELETE request to the /v1/applications/tutorial-dckr-site-0000-xpresswebapp/iot_agents/iot_sensor_00000000-0000-0000-0000-000000000000 endpoint. \nThe X-Auth-token must be supplied in the headers.

GUI

In a similar manner to PEP Proxy creation, signed-in, users are able to create and update IoT Sensor Accounts associated to their \napplications.

REST API

Alternatively, the standard CRUD actions are assigned to the

\n","event":[{"listen":"prerequest","script":{"id":"19ac2874-e6e9-43d4-8560-de18473d7a3a","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"b544eada-13d0-40bd-b53c-b715a1f94dd2","type":"text/javascript","exec":[""]}}],"_postman_id":"566306fb-15bf-469e-963c-79c3f948b4d3"}],"id":"bd81ee58-ed8f-49ac-8c01-091d82aff238","description":"

User accounts have been created in a previous tutorial. Non-human\nactors such as a PEP Proxy can be set up in the same manner. The account for each PEP Proxy, IoT Agent or IoT Sensor will \nmerely consist of a Username and password linked to an application within Keyrock. PEP Proxy and IoT Agents accounts can\nbe created by using either the Keyrock GUI or by using the REST API.

Video : Wilma PEP Proxy Configuration

Click on the image above to see a video about configuring the Wilma PEP Proxy using the Keyrock GUI

Managing PEP Proxies and IoT Agents - Start Up

To start the system run the following command:

./services orion\n

This will start up Keyrock with a series of users. There are already two existing applications \nand an existing PEP Proxy Account associated with the application.

\n","event":[{"listen":"prerequest","script":{"id":"58d4e080-c9bf-4e19-aab9-08d332b71cba","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"f1ed306e-fcb8-470c-9d81-0e0e2d385f7f","type":"text/javascript","exec":[""]}}],"_postman_id":"bd81ee58-ed8f-49ac-8c01-091d82aff238"},{"name":"Securing the Orion Context Broker","item":[{"name":"PEP Proxy - No Access to Orion without an Access Token","id":"0ca4b27b-3392-4207-a84e-ba6abf4edfe6","request":{"method":"GET","header":[{"key":"X-Auth-Token","value":" 79d07d0139c66b75fc25f56a88008553f12f6ac7"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:1027/v2/entities/","description":"

Secured Access can be ensured by requiring all requests to the secured service are made indirectly via a PEP Proxy (in this case the PEP Proxy is found in front of the Context Broker). Requests must include an X-Auth-Token, failure to present a valid token results in a denial of access.

if a request to the PEP Proxy is made without any access token as shown, the response is a 401 Unauthorized error code, with a text explanation.

\n","urlObject":{"protocol":"http","port":"1027","path":["v2","entities",""],"host":["localhost"],"query":[],"variable":[]}},"response":[],"_postman_id":"0ca4b27b-3392-4207-a84e-ba6abf4edfe6"},{"name":"Keyrock - User Obtains an Access Token","id":"0d2332e5-cd2e-4624-888d-16acfdd12a7f","request":{"method":"POST","header":[{"key":"Authorization","value":"Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==","description":"

base64 concatenation of Client Id and Client Secret

\n"},{"key":"Content-Type","value":"application/x-www-form-urlencoded"},{"key":"Accept","value":"application/json"}],"body":{"mode":"raw","raw":"username=alice-the-admin@test.com&password=test&grant_type=password"},"url":"http://localhost:3005/oauth2/token","description":"

To log in to an application using the user-credentials flow send a POST request to the oauth2/token endpoint with the grant_type=password

The response returns an access_code to identify the user.

An access_code can also be done by entering the Tutorial Application on http:/localhost and logging in using any of the OAuth2 grants\non the page. A successful log-in will return an access token.

\n","urlObject":{"protocol":"http","path":["oauth2","token"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"0d2332e5-cd2e-4624-888d-16acfdd12a7f"},{"name":"PEP Proxy - Accessing Orion with an Access Token Copy","id":"5190d2ed-dd05-4937-9a9f-c1c327dd9649","request":{"method":"GET","header":[{"key":"X-Auth-Token","value":" 79d07d0139c66b75fc25f56a88008553f12f6ac7"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:1027/v2/entities/","description":"

If a request to the PEP Proxy is made including a valid access token in the X-Auth-Token header as shown, the request\nis permitted and the service behind the PEP Proxy (in this case the Orion Context Broker) will return the data as\nexpected.

\n","urlObject":{"protocol":"http","port":"1027","path":["v2","entities",""],"host":["localhost"],"query":[],"variable":[]}},"response":[],"_postman_id":"5190d2ed-dd05-4937-9a9f-c1c327dd9649"},{"name":"Kong - Accessing Orion with an Access Token","id":"76d5dc5c-7b81-4600-bc11-a7896322538f","request":{"method":"GET","header":[{"key":"authorization","value":"Bearer 79d07d0139c66b75fc25f56a88008553f12f6ac7"}],"url":"http://localhost:8000/orion/v2/entities/","description":"

\n","urlObject":{"protocol":"http","port":"8000","path":["orion","v2","entities",""],"host":["localhost"],"query":[],"variable":[]}},"response":[],"_postman_id":"76d5dc5c-7b81-4600-bc11-a7896322538f"},{"name":"PEP Proxy - Accessing Orion with a Bearer Auth Token","id":"5068c962-b97c-4452-a55a-b38c56a05242","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"bearer","bearer":{"token":" 79d07d0139c66b75fc25f56a88008553f12f6ac7"},"isInherited":false},"method":"GET","header":[],"url":"http://localhost:1027/v2/entities/","description":"

The standard Authorization: Bearer header can also be used to identity the user,\nthe request from an authorized user is permitted and the service behind the PEP Proxy (in this case the Orion Context Broker) will return the data as\nexpected.

\n","urlObject":{"protocol":"http","port":"1027","path":["v2","entities",""],"host":["localhost"],"query":[],"variable":[]}},"response":[],"_postman_id":"5068c962-b97c-4452-a55a-b38c56a05242"},{"name":"PEP Proxy - Accessing Orion with an Access Token Copy","id":"491659a5-8a60-4df3-8e73-d79b959594fd","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"X-Auth-Token","value":" 79d07d0139c66b75fc25f56a88008553f12f6ac7"}],"url":"http://localhost:1027/v2/entities/","description":"

Securing Orion - PEP Proxy Configuration

The orion-proxy container is an instance of FIWARE Wilma listening on port 1027, it is configured to forward traffic to\norion on port 1026, which is the default port that the Orion Context Broker is listening to for NGSI Requests.

  orion-proxy:\n    image: fiware/pep-proxy\n    container_name: fiware-orion-proxy\n    hostname: orion-proxy\n    networks:\n      default:\n        ipv4_address: 172.18.1.10\n    depends_on:\n      - keyrock\n    ports:\n      - \"1027:1027\"\n    expose:\n      - \"1027\"\n    environment:\n      - PEP_PROXY_APP_HOST=orion\n      - PEP_PROXY_APP_PORT=1026\n      - PEP_PROXY_PORT=1027\n      - PEP_PROXY_IDM_HOST=keyrock\n      - PEP_PROXY_HTTPS_ENABLED=false\n      - PEP_PROXY_AUTH_ENABLED=false\n      - PEP_PROXY_IDM_SSL_ENABLED=false\n      - PEP_PROXY_IDM_PORT=3005\n      - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp\n      - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000\n      - PEP_PASSWORD=test\n      - PEP_PROXY_PDP=idm\n      - PEP_PROXY_MAGIC_KEY=1234\n

The PEP_PROXY_APP_ID and PEP_PROXY_USERNAME would usually be obtained by adding new entries to the application in Keyrock,\nhowever, in this tutorial, they have been pre-defined by populating the MySQL database with data on start-up.

The orion-proxy container is listening on a single port:

The PEP Proxy Port - 1027 is exposed purely for tutorial access - so that cUrl or Postman can requests directly to the Wilma instance\nwithout being part of the same network.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
PEP_PROXY_APP_HOST	`orion`	The hostname of the service behind the PEP Proxy
PEP_PROXY_APP_PORT	`1026`	The port of the service behind the PEP Proxy
PEP_PROXY_PORT	`1027`	The port that the PEP Proxy is listening on
PEP_PROXY_IDM_HOST	`keyrock`	The hostname for the Identity Manager
PEP_PROXY_HTTPS_ENABLED	`false`	Whether the PEP Proxy itself is running under HTTPS
PEP_PROXY_AUTH_ENABLED	`false`	Whether the PEP Proxy is checking for Authorization
PEP_PROXY_IDM_SSL_ENABLED	`false`	Whether the Identity Manager is running under HTTPS
PEP_PROXY_IDM_PORT	`3005`	The Port for the Identity Manager instance
PEP_PROXY_APP_ID	`tutorial-dckr-site-0000-xpresswebapp`
PEP_PROXY_USERNAME	`pep_proxy_00000000-0000-0000-0000-000000000000`	The Username for the PEP Proxy
PEP_PASSWORD	`test`	The Password for the PEP Proxy
PEP_PROXY_PDP	`idm`	The Type of service offering the Policy Decision Point
PEP_PROXY_MAGIC_KEY	`1234`

For this example, the PEP Proxy is checking for Level 1 - Authentication Access not Level 2 - Basic Authorization or \nLevel 3 - Advanced Authorization.

Securing Orion - Application Configuration

The tutorial application has already been registered in Keyrock, programmatically the tutorial application will\nbe making requests to the Wilma PEP Proxy in front of the Orion Conext Broker. Every request must now include\nan additional access_token header.

  tutorial-app:\n    image: fiware/tutorials.context-provider\n    hostname: tutorial-app\n    container_name: tutorial-app\n    depends_on:\n        - orion-proxy\n        - iot-agent\n        - keyrock\n    networks:\n      default:\n        ipv4_address: 172.18.1.7\n        aliases:\n          - iot-sensors\n    expose:\n        - \"3000\"\n        - \"3001\"\n    ports:\n        - \"3000:3000\"\n        - \"3001:3001\"\n    environment:\n        - \"WEB_APP_PORT=3000\"\n        - \"SECURE_ENDPOINTS=true\"\n        - \"CONTEXT_BROKER=http://orion-proxy:1027/v2\"\n        - \"KEYROCK_URL=http://localhost\"\n        - \"KEYROCK_IP_ADDRESS=http://172.18.1.5\"\n        - \"KEYROCK_PORT=3005\"\n        - \"KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp\"\n        - \"KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret\"\n        - \"CALLBACK_URL=http://localhost:3000/login\"\n

All of the tutorial container settings have been described in previous tutorials. One important change is necessary however,\nrather than accessing Orion directly on the default port 1026 as shown in all previous tutorials, all context broker\ntraffic is now sent to orion-proxy on port 1027. As a reminder, the relevant settings are detailed below:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
WEB_APP_PORT	`3000`	Port used by web-app which displays the login screen & etc.
KEYROCK_URL	`http://localhost`	This is URL of the Keyrock Web Front-End itself, used for redirection when forwarding users
KEYROCK_IP_ADDRESS	`http://172.18.1.5`	This is URL of the Keyrock OAuth Communications
KEYROCK_PORT	`3005`	This is the port that Keyrock is listening on.
KEYROCK_CLIENT_ID	`tutorial-dckr-site-0000-xpresswebapp`	The Client ID defined by Keyrock for this application
KEYROCK_CLIENT_SECRET	`tutorial-dckr-site-0000-clientsecret`	The Client Secret defined by Keyrock for this application
CALLBACK_URL	`http://localhost:3000/login`	The callback URL used by Keyrock when a challenge has succeeded.

Securing Orion - Start up

To start the system with a PEP Proxy protecting access to Orion, run the following command:

./services orion\n

Video : Securing A REST API

Click on the image above to see a video about securing a REST API using the Wilma PEP Proxy

Securing Orion - Sample Code

When a User logs in to the application using the User Credentials Grant, an access_token is obtained which identifies the User.\nThe access_token is stored in session:

function userCredentialGrant(req, res){\n    debug('userCredentialGrant');\n\n    const email = req.body.email;\n    const password = req.body.password;\n\n    oa.getOAuthPasswordCredentials(email, password)\n    .then(results => {\n        req.session.access_token =  results.access_token;\n        return;\n    })\n}\n

For each subsequent request, the access_token is supplied in the X-Auth-Token Header

function setAuthHeaders(req){\n  const headers = {};\n  if (req.session.access_token) {\n    headers['X-Auth-Token'] = req.session.access_token;\n  }\n  return headers;\n}\n

For example, when buying an item, two requests are made, the same X-Auth-Token Header must be added to each request - therefore\nthe User can be identified and access granted.

async function buyItem(req, res) {\n\n  const inventory = await retrieveEntity(req.params.inventoryId, {\n    options: 'keyValues',\n    type: 'InventoryItem',\n  }, setAuthHeaders(req));\n  const count = inventory.shelfCount - 1;\n\n  await updateExistingEntityAttributes(\n    req.params.inventoryId,\n    { shelfCount: { type: 'Integer', value: count } },\n    {\n      type: 'InventoryItem',\n    }, setAuthHeaders(req)\n  );\n  res.redirect(`/app/store/${inventory.refStore}/till`);\n}\n

\n","event":[{"listen":"prerequest","script":{"id":"96981a47-ff81-43fb-b694-b80cc9a06f06","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"900a4c35-38c9-4e7d-a52d-35913760b3ba","type":"text/javascript","exec":[""]}}],"_postman_id":"7587b0d8-438e-4189-ba71-9ea67e53902d"},{"name":"Securing an IoT Agent South Port","item":[{"name":"Keyrock - IoT Sensor Obtains an Access Token","id":"5271fd3d-db77-4f8d-863c-cbb76de0d15e","request":{"method":"POST","header":[{"key":"Authorization","value":"Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==","description":"

base64 concatenation of Client Id and Client Secret

\n"},{"key":"Content-Type","value":"application/x-www-form-urlencoded"},{"key":"Accept","value":"application/json"}],"body":{"mode":"raw","raw":"username=iot_sensor_00000000-0000-0000-0000-000000000000&password=test&grant_type=password"},"url":"http://localhost:3005/oauth2/token","description":"

Logging in as an IoT Sensor follows the same user-credentials flow as for a User.\nTo log in and identify the sensor iot_sensor_00000000-0000-0000-0000-000000000000 with password test

The response returns an access code to identify the IoT Device

\n","urlObject":{"protocol":"http","path":["oauth2","token"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"5271fd3d-db77-4f8d-863c-cbb76de0d15e"},{"name":"PEP Proxy - Accessing IoT Agent with an Access Token","id":"8340f73f-7a57-44e5-9c88-7526efd73ba6","request":{"method":"POST","header":[{"key":"X-Auth-Token","value":" 79d07d0139c66b75fc25f56a88008553f12f6ac7"}],"body":{"mode":"formdata","formdata":[]},"url":"http://localhost:7897/iot/d?k=4jggokgpepnvsb2uv4s40d59ov&i=motion001","description":"

This example simulates a secured request coming from the device motion001

The POST request to a PEP Proxy in front to the Ultralight IoT Agent identifies\na previously provisioned resource iot/dendpoint and passes a measurement for\ndevice motion001. The addition of the X-Auth-Token Header identifies the source\nof the request as being registered in Keyrock, and therefore the measurement will \nbe passed on to the IoT Agent itself.

\n","urlObject":{"protocol":"http","port":"7897","path":["iot","d"],"host":["localhost"],"query":[{"key":"k","value":"4jggokgpepnvsb2uv4s40d59ov"},{"key":"i","value":"motion001"}],"variable":[]}},"response":[],"_postman_id":"8340f73f-7a57-44e5-9c88-7526efd73ba6"}],"id":"e01520ed-cf2c-412a-a2d1-0d1eaa58dbe5","description":"

Securing an IoT Agent South Port - PEP Proxy Configuration

The iot-agent-proxy container is an instance of FIWARE Wilma listening on port 7897, it is configured to forward traffic to\niot-agent on port 7896, which is the default port that the Ultralight agent is listening to for HTTP Requests.

  iot-agent-proxy:\n    image: fiware/pep-proxy\n    container_name: fiware-iot-agent-proxy\n    hostname: iot-agent-proxy\n    networks:\n      default:\n        ipv4_address: 172.18.1.11\n    depends_on:\n      - keyrock\n    ports:\n      - \"7897:7897\"\n    expose:\n      - \"7897\"\n    environment:\n      - PEP_PROXY_APP_HOST=iot-agent\n      - PEP_PROXY_APP_PORT=7896\n      - PEP_PROXY_PORT=7897\n      - PEP_PROXY_IDM_HOST=keyrock\n      - PEP_PROXY_HTTPS_ENABLED=false\n      - PEP_PROXY_AUTH_ENABLED=false\n      - PEP_PROXY_IDM_SSL_ENABLED=false\n      - PEP_PROXY_IDM_PORT=3005\n      - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp\n      - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000\n      - PEP_PASSWORD=test\n      - PEP_PROXY_PDP=idm\n      - PEP_PROXY_MAGIC_KEY=1234\n

The iot-agent-proxy container is listening on a single port:

The PEP Proxy Port - 7897 is exposed purely for tutorial access - so that cUrl or Postman can requests directly to this Wilma instance\nwithout being part of the same network.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
PEP_PROXY_APP_HOST	`iot-agent`	The hostname of the service behind the PEP Proxy
PEP_PROXY_APP_PORT	`7896`	The port of the service behind the PEP Proxy
PEP_PROXY_PORT	`7897`	The port that the PEP Proxy is listening on
PEP_PROXY_IDM_HOST	`keyrock`	The hostname for the Identity Manager
PEP_PROXY_HTTPS_ENABLED	`false`	Whether the PEP Proxy is running under HTTPS
PEP_PROXY_AUTH_ENABLED	`false`	Whether the PEP Proxy is checking for Authorization
PEP_PROXY_IDM_SSL_ENABLED	`false`	Whether the Identity Manager is running under HTTPS
PEP_PROXY_IDM_PORT	`3005`	The Port for the Identity Manager instance
PEP_PROXY_APP_ID	`tutorial-dckr-site-0000-xpresswebapp`
PEP_PROXY_USERNAME	`pep_proxy_00000000-0000-0000-0000-000000000000`	The Username for the PEP Proxy
PEP_PASSWORD	`test`	The Password for the PEP Proxy
PEP_PROXY_PDP	`idm`	The Type of service offering the Policy Decision Point
PEP_PROXY_MAGIC_KEY	`1234`

For this example, the PEP Proxy is checking for Level 1 - Authentication Access not Level 2 - Basic Authorization or \nLevel 3 - Advanced Authorization.

Securing an IoT Agent South Port - Application Configuration

The tutorial application also plays the role of providing data from our dummy IoT Sensors. The IoT Sensors are\nmaking HTTP request containing commands and measurements in Ultralight syntax. An IoT Sensor username and password\nhave already been registered in Keyrock, programmatically each sensor must obtain an OAuth2 access token and\nwill then make requests to a second Wilma PEP Proxy in front of the IoT Agent.

  tutorial-app:\n    image: fiware/tutorials.context-provider\n    hostname: tutorial-app\n    container_name: tutorial-app\n    depends_on:\n        - orion-proxy\n        - iot-agent-proxy\n        - keyrock\n    networks:\n      default:\n        ipv4_address: 172.18.1.7\n        aliases:\n          - iot-sensors\n    expose:\n        - \"3000\"\n        - \"3001\"\n    ports:\n        - \"3000:3000\"\n        - \"3001:3001\"\n    environment:\n        - \"IOTA_HTTP_HOST=iot-agent-proxy\"\n        - \"IOTA_HTTP_PORT=7897\"\n        - \"DUMMY_DEVICES_PORT=3001\" # Port used by the dummy IOT devices to receive commands\n        - \"DUMMY_DEVICES_TRANSPORT=HTTP\" # Default transport used by dummy Io devices\n        - \"DUMMY_DEVICES_API_KEY=4jggokgpepnvsb2uv4s40d59ov\"\n        - \"DUMMY_DEVICES_USER=iot_sensor_00000000-0000-0000-0000-000000000000\"\n        - \"DUMMY_DEVICES_PASSWORD=test\"\n

The tutorial container hosts the dummy Ultralight sensors. Rather than accessing the IoT Agent directly on port 7896 as\nshown in all previous tutorials, all traffic is forwarded to iot-agent-proxy on port 7897. Most of the relevant tutorial\ncontainer settings have been described in previous tutorials, the DUMMY_DEVICES_USER and DUMMY_DEVICES_PASSWORD are new\nadditions.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
IOTA_HTTP_HOST	`iot-agent-proxy`	The host name of the Wilma PEP Proxy protecting the IoT Agent for UltraLight 2.0
IOTA_HTTP_PORT	`7896`	The port that the Wilma PEP Proxy protecting the IoT Agent is listenting on
DUMMY_DEVICES_PORT	`3001`	Port used by the dummy IOT devices to receive commands
DUMMY_DEVICES_TRANSPORT	`HTTP`	Default transport used by dummy Io devices
DUMMY_DEVICES_API_KEY	`4jggokgpepnvsb2uv4s40d59ov`	Random security key used for UltraLight interactions - ensures the integrity of interactions between the devices and the IoT Agent
DUMMY_DEVICES_USER	`iot_sensor_00000000-0000-0000-0000-000000000000`	Username assigned to the device(s) in Keyrock
DUMMY_DEVICES_PASSWORD	`test`	Password assigned to the device(s) in Keyrock

The DUMMY_DEVICES_USER and DUMMY_DEVICES_PASSWORD would usually be obtained by adding new entries to the application in Keyrock,\nhowever, in this tutorial, they have been pre-defined by populating the MySQL database with data on start-up.

Securing IoT Agent - Start up

To start the system with a PEP Proxies protecting access to both Orion and the IoT Agent run the following command:

./services southport\n

Securing an IoT Agent South Port - Sample Code

When an IoT Sensor starts up, it must log-in like any other user to obtain an access token:

const DUMMY_DEVICE_HTTP_HEADERS = { 'Content-Type': 'text/plain' };\n

function initSecureDevices(){\n    Security.oa.getOAuthPasswordCredentials(process.env.DUMMY_DEVICES_USER, process.env.DUMMY_DEVICES_PASSWORD)\n    .then(results => {\n        DUMMY_DEVICE_HTTP_HEADERS['X-Auth-Token'] = results.access_token;\n        return;\n    })\n    .catch(error => {\n        debug(error);\n        return;\n    });\n}\n

Each HTTP request thereafter includes the X-Auth-Token Header in the request identifying the IoT Sensor:

const options = { method: 'POST',\n  url: UL_URL,\n  qs: { k: UL_API_KEY, i: deviceId },\n  headers: DUMMY_DEVICE_HTTP_HEADERS,\n  body: state };\n\nrequest(options,  (error) => {\n  if (error){\n    debug( debugText +  \" \" + error.code)\n  } \n});\n

\n","event":[{"listen":"prerequest","script":{"id":"6d3383f2-97c3-43c6-a850-81bba51d5b17","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"a21a68b9-aa92-4710-845f-c16bfe75511a","type":"text/javascript","exec":[""]}}],"_postman_id":"e01520ed-cf2c-412a-a2d1-0d1eaa58dbe5"},{"name":"Securing an IoT Agent North Port","item":[{"name":"Keyrock - Obtaining a permanent token","id":"4f1c365a-e1ef-41e2-acf0-111c3dec15b4","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"description":"

base64 concatenation of Client Id and Client Secret

\n","key":"Authorization","value":"Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA=="},{"key":"Content-Type","value":"application/x-www-form-urlencoded"},{"key":"Accept","value":"application/json"}],"body":{"mode":"raw","raw":"username=alice-the-admin@test.com&password=test&grant_type=password&scope=permanent"},"url":"http://localhost:3005/oauth2/token","description":"

The Keyrock application has been configured to offer permanent tokens

The standard Authorization: Basic header holds the base 64 concatentation of the client id and secret. The parameter\nscope=permanent is added to retrieve permanent tokens when available. The response contains an access_token which\ncan be used for device provisioning.

\n","urlObject":{"protocol":"http","path":["oauth2","token"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"4f1c365a-e1ef-41e2-acf0-111c3dec15b4"},{"name":"IoT Agent - Provisioning a trusted service group","id":"07fbab9f-cba8-4265-8e4a-8e3004126f89","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"PUT","header":[{"key":"fiware-service","value":"openiot"},{"key":"fiware-servicepath","value":"/","type":"text"},{"key":"Content-Type","value":"application/json","type":"text","name":"Accept"}],"body":{"mode":"raw","raw":"{\n \"cbroker\": \"http://orion-proxy:1027\",\n \"trust\": \"b7a4baa86642280b446d733dc2d62c8a21112481\"\n}"},"url":"http://localhost:4041/iot/services?resource=/iot/d&apikey=1068318794","description":"

The Access token (also known as a Trust Token) must be added to the service group.

\n","urlObject":{"protocol":"http","port":"4041","path":["iot","services"],"host":["localhost"],"query":[{"key":"resource","value":"/iot/d"},{"key":"apikey","value":"1068318794"}],"variable":[]}},"response":[],"_postman_id":"07fbab9f-cba8-4265-8e4a-8e3004126f89"},{"name":"IoT Agent - Provisioning a sensor","id":"2e3bc39b-26fa-4ab7-a726-d5e0eaf9b082","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"fiware-service","value":"openiot"},{"key":"fiware-service-path","value":"/","type":"text"},{"key":"Accept","value":"application/json","type":"text","name":"Accept"}],"body":{"mode":"raw","raw":"{\n \"devices\": [\n {\n \"device_id\": \"motion001\",\n \"entity_name\": \"urn:ngsi-ld:Motion:001\",\n \"entity_type\": \"Motion\",\n \"timezone\": \"Europe/Berlin\",\n \"attributes\": [\n { \"object_id\": \"c\", \"name\": \"count\", \"type\": \"Integer\" }\n ],\n \"static_attributes\": [\n { \"name\":\"refStore\", \"type\": \"Relationship\", \"value\": \"urn:ngsi-ld:Store:001\"}\n ]\n }\n ]\n}"},"url":"http://localhost:4041/iot/devices","description":"

Once a trusted service group has been created, a device can be provisioned in the usual manner

\n","urlObject":{"protocol":"http","port":"4041","path":["iot","devices"],"host":["localhost"],"query":[],"variable":[]}},"response":[],"_postman_id":"2e3bc39b-26fa-4ab7-a726-d5e0eaf9b082"}],"id":"5c3e32b4-3054-43e1-a1d5-fde7bf580d62","description":"

Securing an IoT Agent North Port - IoT Agent Configuration

The iot-agent container is listening on port 4041, it is configured to forward traffic to orion-proxy on port\n1027.

iot-agent:\n    image: fiware/iotagent-ul:${ULTRALIGHT_VERSION}\n    hostname: iot-agent\n    container_name: fiware-iot-agent\n    depends_on:\n        - mongo-db\n        - orion\n    networks:\n        - default\n    ports:\n        - \"4041:4041\"\n        - \"7896:7896\"\n    environment:\n        - IOTA_CB_HOST=orion-proxy\n        - IOTA_CB_PORT=1027\n        - IOTA_NORTH_PORT=4041\n        - IOTA_REGISTRY_TYPE=mongodb\n        - IOTA_LOG_LEVEL=DEBUG\n        - IOTA_TIMESTAMP=true\n        - IOTA_CB_NGSI_VERSION=v2\n        - IOTA_AUTOCAST=true\n        - IOTA_MONGO_HOST=mongo-db\n        - IOTA_MONGO_PORT=27017\n        - IOTA_MONGO_DB=iotagentul\n        - IOTA_HTTP_PORT=7896\n        - IOTA_PROVIDER_URL=http://iot-agent:4041\n        - IOTA_AUTH_ENABLED=true\n        - IOTA_AUTH_TYPE=oauth2\n        - IOTA_AUTH_HEADER=Authorization\n        - IOTA_AUTH_HOST=keyrock\n        - IOTA_AUTH_PORT=3005\n        - IOTA_AUTH_URL=http://keyrock:3005\n        - IOTA_AUTH_TOKEN_PATH=/oauth2/token\n        - IOTA_AUTH_PERMANENT_TOKEN=true\n        - IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp\n        - IOTA_AUTH_CLIENT_SECRET=tutorial-dckr-host-0000-clientsecret\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
IOTA_AUTH_ENABLED	`true`	Whether to use authorization on the north port
IOTA_AUTH_TYPE	`oauth2`	The type of authorization to be used (Keyrock uses OAuth2)
IOTA_AUTH_HEADER	`Authorization`	The name of the header to be added to requests
IOTA_AUTH_HOST	`keyrock`	The Identity Manager holding the application
IOTA_AUTH_PORT	`3005`	The port the Identity Manager is listening on
IOTA_AUTH_URL	`http://keyrock:3005`	The URL for authentication requests
IOTA_AUTH_CLIENT_ID	`tutorial-dckr-site-0000-xpresswebapp`	the Id of the applicantion within Keyrock
IOTA_AUTH_CLIENT_SECRET	`tutorial-dckr-host-0000-clientsecret`	The client secret of the application within Keyrock
IOTA_AUTH_PERMANENT_TOKEN	`true`	Whether to use permanent tokens
IOTA_AUTH_TOKEN_PATH	`/oauth2/token`	the path to be used when requesting tokens

Securing an IoT Agent North Port - Start up

To start the system with a PEP Proxy protecting access to between Orion and the IoT Agent North Port run the\nfollowing command:

./services northport\n

","event":[{"listen":"prerequest","script":{"id":"6d3383f2-97c3-43c6-a850-81bba51d5b17","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"a21a68b9-aa92-4710-845f-c16bfe75511a","type":"text/javascript","exec":[""]}}],"_postman_id":"5c3e32b4-3054-43e1-a1d5-fde7bf580d62"}],"event":[{"listen":"prerequest","script":{"id":"fcfbbecf-1166-488b-b366-a7cc7bd67d9d","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"be74ae42-b383-4989-b105-6b28196c6cfe","type":"text/javascript","exec":[""]}}],"variable":[{"key":"keyrock","value":"localhost:3005"},{"key":"X-Auth-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"},{"key":"X-Subject-token","value":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"},{"key":"application-id","value":"tutorial-dckr-site-0000-xpresswebapp"},{"key":"X-Access-token","value":" 79d07d0139c66b75fc25f56a88008553f12f6ac7"},{"key":"Authorization","value":"dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA=="},{"key":"iot-agent-id","value":"iot_sensor_00000000-0000-0000-0000-000000000000"},{"key":"pep-proxy-id","value":"pep_proxy_00000000-0000-0000-0000-000000000000"}]}