Secure Data River Configuration

Reading Time: 6 minutes

The ADLINK Data River does not include encryption or authentication by default. The Edge SDK provides the means to protect data on the Data River, it restricts which applications can access data. You can also protect data at Tag Group level and specify access control rules.

To create a secure Data River and the requirements for the applications which connect to the Data River to ensure they are compliant with the rules, you require a number of certificates, keys and configuration files. The Edge SDK securitycomposer tool uses these files to generate the documents you need to secure the Data River and applications, Edge Profile Builder can easily deploy these documents to secure your applications.

Create the certificates and keys

There are a number of ways to create self-signed certificates and keys, the following steps use Ubuntu 18.04 with OpenSSL installed. For Windows, refer to Microsoft support.

  1. Create a root key for the Certificate Authority. This is the key it uses to sign the certificate requests, anyone holding this can sign certificates on your behalf, therefore you must keep this safe.
openssl genrsa -out rootCA.key 2048
  1. Create and self sign the Certificate Authority, the following uses the root key to create the certificate that needs to be used for all applications.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
  1. Create a private key for each application you want to secure signed by the Certificate Authority. Replace ‘appname’ with the name of the application. E.g. ‘aea-deep-stream’.
openssl genrsa -out appname.key 2048
  1. Generate a certificate signing request. Replace ‘appname’ with the name of the application. E.g. ‘aea-deep-stream’.

Note: When you create the signing request is important to specify the Common Name (CN) providing the IP address or domain name for the service, otherwise the certificate cannot be verified, e.g. CN=adlinktech.com.

openssl req -new -sha256 -key appname.key -subj "/C=UK/ST=NE/O=MyOrg/CN=mydomain.com" -out appname.csr
  1. Use the signing request and key along with the Certificate Authority key to generate the application certificate. Replace ‘appname’ with the name of the application. E.g. ‘aea-deep-stream’.
openssl x509 -req -in appname.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out appname.crt -days 500 -sha256

Install Edge SDK

Download and install Edge SDK from https://www.adlinktech.com/en/Edge-SDK-software-download. If you don’t have an existing account you must register as a new user, you will receive an email to verify your email address and create a new password, you can then download Edge SDK. When you select the download, you will receive a second email which contains the licence file.

Create the Data River security configuration file

The Data River security settings for the securitycomposer tool must be in json format. The json structure is as follows:

Copy and paste the following code block into a json file with the name ‘data_river_config.json’, alternatively you can download the data_river_config.json file.

Note: Windows users must change the certificate and privateKey paths to “file:../rootCA.crt” and “file:../rootCA.key”.

{
    "security": {
        "certificationAuthority": {
            "identityAuthority": {
                "certificate": "file://./rootCA.crt"
            },
            "permissionsAuthority": {
                "certificate": "file://./rootCA.crt",
                "privateKey": "file://./rootCA.key"
            }
        },
        "discoveryProtection": {
            "enabled": true
        },
        "dataProtection": {
            "defaultRule": {
                "policy": {
                    "restrictReadAccess": true,
                    "restrictWriteAccess": true,
                    "protection": "encrypt"
                }
            }
        }
    }
}

Create the application security configuration file

You must create an application security settings file for each application with the name ‘applicationname_config.json’ for example, ‘aea_deep_stream_config.json’, the file contains 3 sections, as follows:

Note: An example pre-configured secure profile named ‘secure-apps’ is available to download within Edge Profile Builder. The profile uses deep stream therefore you must run it on a device with an NVIDIA GPU. The Node Red application within the profile has been secured with username: ‘admin’ and password: ‘milktray’, you can access the Node Red interface at “http://<devicehostname or ip>:1880”.

The following code blocks and downloads are example configuration with entries for all the Tag Groups we expect the applications to write to. You must configure the Tag Group permissions in this way to allow the application to write to its Tag Groups with the Data River security configuration previously specified (by default, it restricts read/write access). There are examples for:

Note: Windows users must change the certificate and privateKey paths to “file:../<application name>.crt” and “file:../<application name>.key”, for example, “file:../aea-deep-stream.crt” and “file:../aea-deep-stream.key”.

aea-deep-stream configuration

Download the aea_deep_stream_config.json file.

{
    "security": {
        "authentication": {
            "identity": {
                "certificate": "file://./aea-deep-stream.crt",
                "privateKey": "file://./aea-deep-stream.key"
            }
        },
        "permissions": [
            {
                "tagGroupId": "VideoFrame:com.adlinktech.vision.capture:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "DetectionBox:com.adlinktech.vision.inference:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "DetectionPoint:com.adlinktech.vision.inference:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "Classification:com.adlinktech.vision.inference:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "Segmentation:com.adlinktech.vision.inference:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "Line:com.adlinktech.vision.inference:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "RegionOfInterest:com.adlinktech.vision.inference:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "LineCrossed:com.adlinktech.vision.inference:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "DeviceInfo:com.adlinktech.vision.system:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "DeepStreamPerformance:com.adlinktech.vision.system:2.2.0",
                "write": "allow"
            }
        ],
        "defaultPermission": "deny"
    }
}

aea-model-confidence configuration

The aea-model-confidence app needs to read from the Tag Group ‘DetectionBox:com.adlinktech.vision.inference:2.2.0’ and writes to the Tag Group ‘StreamConfidence:com.adlinktech.vision:2.2.0’.

Download the aea_model_confidence_config.json file.

{
    "security": {
        "authentication": {
            "identity": {
                "certificate": "file://./aea-model-confidence.crt",
                "privateKey": "file://./aea-model-confidence.key"
            }
        },
        "permissions": [
            {
                "tagGroupId": "StreamConfidence:com.adlinktech.vision:2.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "DetectionBox:com.adlinktech.vision.inference:2.2.0",
                "read": "allow"
            }
        ],
        "defaultPermission": "deny"
    }
}

aea-node-red configuration

The aea-node-red app needs to read from both the DetectionBox and StreamConfidence Tag Groups. Node-RED can read/write to a range of different tag groups, the configuration file is profile specific and may need to change when used as part of other profiles.

Download the aea_node_red_config.json file.

{
    "security": {
        "authentication": {
            "identity": {
                "certificate": "file://./aea-node-red.crt",
                "privateKey": "file://./aea-node-red.key"
            }
        },
        "permissions": [
            {
                "tagGroupId": "StreamConfidence:com.adlinktech.vision:2.2.0",
                "read": "allow"
            },
            {
                "tagGroupId": "DetectionBox:com.adlinktech.vision.inference:2.2.0",
                "read": "allow"
            }
        ],
        "defaultPermission": "deny"
    }
}

edge-profile-builder configuration

Download the edge_profile_builder_config.json file.

{
    "security": {
        "authentication": {
            "identity": {
                "certificate": "file://./edge-profile-builder.crt>",
                "privateKey": "file://./edge-profile-builder.key>"
            }
        },
        "permissions": [
            {
                "tagGroupId": "DeviceInfo:com.adlinktech.edge.ddr:*",
                "read": "allow"
            },
            {
                "tagGroupId": "DeviceRegistered:com.adlinktech.edge.ddr:2.0.0",
                "read": "allow"
            },
            {
                "tagGroupId": "DeviceLicenses:com.adlinktech.edge.ddr:1.1.0",
                "read": "allow"
            },
            {
                "tagGroupId": "DeviceRuntime:com.adlinktech.edge.drcm:1.0.1",
                "write": "allow",
                "read": "allow"
            },
            {
                "tagGroupId": "DeploymentProgress:com.adlinktech.edge.dcdm:1.2.0",
                "read": "allow"
            },
            {
                "tagGroupId": "Container:com.adlinktech.edge.dsm:1.0.0",
                "read": "allow"
            },
            {
                "tagGroupId": "SSHStatus:com.adlinktech.edge.scm:1.1.0",
                "write": "allow",
                "read": "allow"
            },
            {
                "tagGroupId": "AcceptedLicenses:com.adlinktech.edge.ddr:1.1.0",
                "write": "allow"
            },
            {
                "tagGroupId": "DeviceRegistration:com.adlinktech.edge.ddr:1.1.0",
                "write": "allow"
            },
            {
                "tagGroupId": "DockerComposeProfile:com.adlinktech.edge.dcdm:1.2.0",
                "write": "allow"
            },
            {
                "tagGroupId": "StreamViewerConfig:com.adlinktech.vision:0.1.0",
                "read": "allow"
            },
            {
                "tagGroupId": "ModelManagerInfo:com.vision.config:v1.0",
                "read": "allow"
            },
            {
                "tagGroupId": "EngineConfigV2:com.vision.data:v1.0",
                "read": "allow"
            }
            ,
            {
                "tagGroupId": "ModelConfigRequest:com.vision.request:v1.0",
                "read": "allow"
            }
        ],
        "defaultPermission": "deny"
    }
}

edge-agent configuration

Download the edge_agent_config.json file.

{
    "security": {
        "authentication": {
            "identity": {
                "certificate": "file://./edge-agent.crt>",
                "privateKey": "file://./edge-agent.key>"
            }
        },
        "permissions": [
            {
                "tagGroupId": "Filter:com.adlinktech.edge.sjm:1.0.0",
                "write": "allow",
                "read": "allow"
            },
            {
                "tagGroupId": "AcceptedLicenses:com.adlinktech.edge.ddr:1.1.0",
                "read": "allow"
            },
            {
                "tagGroupId": "DeviceRegistration:com.adlinktech.edge.ddr:1.1.0",
                "read": "allow"
            },
            {
                "tagGroupId": "DeviceRuntime:com.adlinktech.edge.drcm:1.0.1",
                "write": "allow",
                "read": "allow"
            },
            {
               "tagGroupId": "SSHStatus:com.adlinktech.edge.scm:1.1.0",
               "write": "allow",
               "read": "allow"
            },
            {
               "tagGroupId": "DeviceInfo:com.adlinktech.edge.ddr:2.0.0",
               "write": "allow"
            },
            {
               "tagGroupId": "Entry:com.adlinktech.edge.sjm:1.0.0",
               "write": "allow"
            },
            {
               "tagGroupId": "DeviceLicenses:com.adlinktech.edge.ddr:1.1.0",
               "write": "allow"
            },
            {
               "tagGroupId": "DeviceRegistered:com.adlinktech.edge.ddr:2.0.0",
               "write": "allow"
            }
        ],
        "defaultPermission": "deny"
    }
}

edge_docker_monitor configuration

Download the edge_docker_monitor_config.json file.

{
    "security": {
        "authentication": {
            "identity": {
                "certificate": "file://./edge-docker-monitor.crt>",
                "privateKey": "file://./edge-docker-monitor.key>"
            }
        },
        "permissions": [
            {
               "tagGroupId": "System:com.adlinktech.edge.dsm:1.0.0",
               "write": "allow"
            },
            {
                "tagGroupId": "Container:com.adlinktech.edge.dsm:1.0.0",
                "write": "allow"
            },
            {
                "tagGroupId": "Image:com.adlinktech.edge.dsm:1.0.0",
                "write": "allow"
            }
        ],
        "defaultPermission": "deny"
    }
}

Generate the configuration files with securitycomposer

The securitycomposer tool is included with Edge SDK in the directory $EDGE_SDK_HOME/tools/securitycomposer[.exe] e.g. /opt/ADLINK/EdgeSDK/1.8.0/tools. It generates the comprehensive security configuration files required for each application.

To generate the required files to secure the Data River and application:

  1. Copy all of the files you have created the same directory as the securitycomposer, e.g. /opt/ADLINK/EdgeSDK/1.8.0/tools. This includes:
    • data_river_config.json
    • applicationname_config.json e.g. aea_deep_stream_config.json
    • applicationname.crt e.g. aea-deep-stream.crt
    • applicationname.csr e.g. aea-deep-stream.csr
    • applicationname.key e.g. aea-deep-stream.key
    • rootCA.crt
    • rootCA.key
    • rootCA.srl

Note: If the files are in a different directory to securitycomposer, the certificate and privatekey paths must be amended in the ‘data_river_config.json’ and application json files and the following step.

  1. Open a command terminal and change the directory to the securitycomposer directory.

The securitycomposer tool requires the following options:

  1. Run the following command for the required operating system, replace ‘aea-deep-stream’ with the required application:

Linux

./securitycomposer --datariver-config=./data_river_config.json --app-config=./aea_deep_stream_config.json --app-name=aea-deep-stream --output-path=./PKI

Windows

securitycomposer --datariver-config=data_river_config.json --app-config=aea_deep_stream_config.json --app-name=aea-deep-stream --output-path=PKI

This generates the configuration files in a folder called PKI. All applications use some of these output files, and some files are application specific and therefore prefixed with the supplied application name. The files it generates are as follows:

Note: The generated <app-name>_datariver_config.xml file contains file URI’s (file://… paths) which refer to the other files output by the securitycomposer. Depending on the supplied –output-path, these URI’s may not be correct for the application on the target device, refer to the instructions for each application and modify the URI’s using a text editor where required.

To deploy the configuration, refer to one of the following: