Securing the Doradus REST API

By default, the Doradus REST API uses unencrypted HTTP. Because Doradus provides no application-level security, any process that connect to the Doradus REST port is allowed to perform all schema, update, and query commands. The REST API can be secured by enabling TLS (SSL), which encrypts all traffic and uses mutual authentication to restrict access to specific clients. Optionally, client authentication can be enabled to restrict connections to only those whose certificates have been registered at the server. The process for securing the REST port with TLS is defined below:

1)	Enable TLS by setting the tls parameter in the doradus.yaml file to true. Example:

tls: true

2)	Create a certificate for use by the Doradus server and store it in a keystore file. You can use the keytool utility included with the JRE. An overview of the process to create a self-signed certificate is outline here:

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore

3)	Set the keystore parameter in the doradus.yaml file to the location of the keystore file, and set the keystorepassword parameter to the file’s password. Example:

keystore: config/keystore

keystorepassword: mykspassword

4)

If client authentication will be used, create a certificate for each client application and import them into a truststore file. (See the same article referenced above.) Set the truststore parameter in the doradus.yaml file to the location of the keystore file, and set the truststorepassword parameter to the file’s password. Example:

truststore: config/truststore

truststorepassword: mytspassword

5)	To require client authentication, set the clientauthentication parameter in the doradus.yaml file. This requires REST API connections to use mutual authentication. Example:

clientauthentication: true

6)

The cipher algorithms allowed by the REST API when TLS is enabled is controlled via the tls_cipher_suites parameter. The default list includes the algorithms recommended for FIPS compliance. The actual algorithms allowed by REST API is a subset of the listed algorithms and those actually available to the JVM in which Doradus is running. The cipher algorithm list can be tailored, for example, to only allow 256-bit symmetrical encryption. Example:

tls_cipher_suites:

- TLS_DHE_DSS_WITH_AES_256_CBC_SHA

- TLS_DHE_RSA_WITH_AES_256_CBC_SHA

- TLS_RSA_WITH_AES_256_CBC_SHA

- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Custom algorithms can also be used as long as installed with the JVM used to run Doradus.

With the steps above, Doradus will use TLS for its REST API port, optionally requiring mutual authentication. Clients must connect to the REST port using TLS. If client authentication is enabled, they must submit a certificate that was added to the truststore. Each client must also support one of the configured cipher algorithms.