I am working on an building automation IOT system which has both oBIX and CoAP application to provide web services. As per my knowledge CoAP layer operates above oBIX handler. Also some interfaces of oBIX is similar to CoAP.
My query is why oBIX is required? Why oBIX is necessary if CoAP is already avaliable?
In IOT, CoAP is used as Binding protocol for oBIX interfaces. The oBIX specification provides for bindings using REST (using HTTP or CoAP), SOAP, and WebSocket to talk with web/internet.In many cases, your choice of binding may be dictated by the application needs, such as if you are implementing a server in a constrained environment, or for an enterprise level application.
For CoAP binding following CoAP intefaces are mapped with oBIX requests:
OBIX Request - - HTTP Interfaces
Read - - - - - - - - - GET
Write - - - - - - - - - PUT
Invoke - - - - - - - - POST
Delete - - - - - - - - DELETE
Related
I have a setup like this:
Keycloak OIDC Server for Identity and Access Management Service - Running in Cloud - A
Backend RESTful Microservices - Running in Cloud - B
Backend RESTful Microservices - Running in On-prem servers across multiple locations - C
User Mobile app - Multiple users across locations - X
User web app - Multiple users across locations - Y
X, Y uses Password grant to access B - i.e. X, Y calls login API of B with username and password; B gets the access token from Keycloak and then sends it in response and they (X,Y) use it for further API calls towards B to get authorized.
Now, this is the doubt that I have:
Should we do the same for C? i.e. Should there be an API in B available for C to call to post the client-id and client-secret (client-credentials grant), to get the access token? Is this a good pattern/ valid implementation?
The need for this method of access:
Ops team is planning to hide A from being exposed to the internet. So, B will be acting as an abstraction layer for it.
Is keeping the IAM service from being exposed to internet a good idea? I have never seen an IAM service, abstracted before. Please clarify.
HOSTING
The usual hosting best practice is to place the Identity system behind a reverse proxy / gateway such as NGINX Plus. This is because the Identity system connects to sensitive data sources, whereas the reverse proxy can be the entry point, eg in a DMZ. You can then limit the OIDC endpoints exposed to the internet.
Avoid writing home grown proxying to the Identity system. since that is likely to be less resilient than a battle tested system such as NGINX. See the IAM Primer for an overview.
SECURITY DESIGN PATTERNS
A reverse proxy also supports plugins that can do many utility security jobs, such as translating secure cookies to access tokens. So it is a highly useful part of the architecture. See this article for an example plugin using the high level LUA programming language.
I would like to deploy this on Kubernetes. Would it make sense for both the Auth Server and the Policy engine to talk to the API Gateway independently or is it more accurate for only the Auth Server to talk to the API Gateway and the OPA to talk to the API Gateway only via the Auth Server
At Curity we have some good resources related to this. Usually the first key consideration is around components that use data sources:
APIs
Authorization Server
These are always deployed with a reverse proxy / gateway in front of them, so that an attacker has to breach 2 layers to access data sources - this is covered in our IAM Primer.
In addition the gateway can then provide some interesting capabilities:
Token Introspection and Caching
Dynamic Routing
In terms of OPA it depends how you will use it - here are a couple of possible options:
Gateway calls OPA to perform high level checks to grant or deny accesx as in this OPA use case
The API calls OPA and passes it a Claims Principal, then uses the response to decide how to filter results, as described in our Claims Best Practices article
IBM has MQIPT (IBM MQ Internet Pass-Thru) that acts as MQ forwarder/reverse proxy to implement messaging solutions between remote sites across the internet. Is there such an equivalence for Solace?
Solace has all kinds of fancy advanced features for load balancing and hybrid/multi-site deployments like bridges and dynamic message routing, but I don't really know those, and where's the fun in having everything ready-made and pre-solved for you anyway? :-)
So here I am going to assume you want to roll your own solution and use an actual reverse proxy:
You can switch to HTTP-based protocols, and just use any regular HTTP reverse proxy. Solace message brokers have a REST message interface, or if your application already uses the Solace API for messaging (or needs its advanced features), you can switch over to HTTP streaming or WebSockets as a transport by modifying the scheme portion of the broker URL in your application configuration. (http:// or ws:// instead of tcp://) This will only allow you to balance sessions, not individual messages within a single elephant flow.
I'm currently building a reporting service (WCF) - filled reports are produced using an Elastic Object which uses C# dynamics - I have written code to transform the object into JSON within the WCF service. The WCF service is hosted within a Windows Service and uses either named pipes or TCP bindings.
What I need to do next is to return the report object as JSON to an ASP.Net MVC web application which then just passes it through to the client without deserializing. I cannot have the client call the WCF service directly due to security issues.
Is this possible?
OK - This was fairly straightforward in the end -
I followed this post here, replacing my ElasticObject with the SerializableDynamicObject
(I didn't need the extended abilities of the ElasticObject)
This approach works nicely.
I'm developing a iPad application that will consume a WCF Service HTTPS (using soap probably).
I used NSURLConnection on iPad to connect to HTTP web service and worked fine. But the WCF Service will use HTTPS.
The WCF as some different configuration (eg. security mode: Transport,Message and TransportWithMessageCredential).
Is there any limitation on iPad to consume a WCF service using HTTPS? What is the best way?
You can use NSURLConnection itself. If you want to handle the security credentials while connecting to the server you have to look into the below methods,
- (BOOL)connection:(NSURLConnection *)conn canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
- (void)connection:(NSURLConnection *)conn didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
The below sample project from Apple will help you,
http://developer.apple.com/library/ios/#samplecode/AdvancedURLConnections/Introduction/Intro.html