Secure Applications on the Data River

Reading Time: 4 minutes

The ADLINK Data River does not include encryption or authentication by default. The Edge SDK provides the means to protect data on the Data River, it restricts which applications can access data. You can also protect data at Tag Group level and specify access control rules.

To create a secure Data River and the requirements for the applications which connect to the Data River to ensure they are compliant with the rules, you require a number of certificates, keys and configuration files. The Edge SDK securitycomposer tool uses these files to generate the documents you need to secure the Data River and applications, Edge Profile Builder can easily deploy these documents to secure your applications.

Note: An example pre-configured secure profile named ‘secure-apps’ is available to download within Edge Profile Builder. The profile uses deep stream therefore you must run it on a device with an NVIDIA GPU. The Node Red application within the profile has been secured with username: ‘admin’ and password: ‘milktray’, you can access the Node Red interface at “http://<devicehostname or ip>:1880”.

Generate the secure Data River configuration files

Refer to Secure Data River Configuration to create the files you need to secure your applications.

Add the files to Edge Profile Builder

You must have Edge Profile Builder 4.0.0 installed, for information about how to install Edge Profile Builder, refer to one of the following:

  1. Open Edge Profile Builder, browse to http://localhost:8082, within Projects open the project and profile that contains the application you want to secure.
  2. Click the application and the Files tab, upload the ‘appname_datariver_config.xml’ file to the root directory, click Upload file and Choose file, browse to the PKI folder which contains the configuration files and select the ‘appname_datariver_config.xml’, click Open and then Upload.
  1. Click Create new folder, enter ‘PKI’ and click Create.
  1. Select the new PKI folder and use Upload file to upload each of the remaining files generated from securitycomposer.
  1. Click Save Changes and then click the Docker tab. Next to ‘Environment Variables’, click Add New.
  1. In the Name field enter ‘ADLINK_DATARIVER_URI’ and in the Value field enter ‘file://appname_datariver_config.xml’. Replace appname with the application name, e.g. ‘file://aea-deep-stream_datariver_config.xml’.
  1. Click Save Changes. Repeat this procedure for all applications.

Secure Node-RED

To password protect Node-RED you must first install bcrypt hash to protect the password. There are a number of ways you can generate a bcrypt hash for a password, these steps use Ubuntu 18.04, for Windows, refer to Microsoft support.

  1. Install nodejs.
sudo apt install npm nodejs
  1. Install the bcrypt-cli utility.
sudo npm install --global bcrypt-cli
  1. Generate a bcrypt hash of a password string, the following password string is ‘adlinknode-red’.
bcrypt-cli "adlinknode-red" 10

The bcrypt hash output format, appears as follows:

$2a$10$/fez.6myraxZpa0wyfnO4e6Ps0GygnyjzXrEGXHhu6YoRm2q13XJS
  1. Create a new file called ‘settings.js’ and copy and paste the following code, this includes this bcrypt hash:, you must replace this with your bcrypt hash string. To enable access to the Node-RED Editor over HTTPS, rather than the default HTTP, use the ‘https’ configuration option in your settings file:
module.exports = {
    // The following property can be used to enable HTTPS
    // See http://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
    // for details on its contents.
    // This property can be either an object, containing both a (private) key and a (public) certificate,
    // or a function that returns such an object:
    //// https object:
    https: {
        key: require("fs").readFileSync('/PKI/aea-node-red.key.pem'),
        cert: require("fs").readFileSync('/PKI/aea-node-red_identity_cert.pem')
    },
    // The following property can be used to cause insecure HTTP connections to
    // be redirected to HTTPS.
    requireHttps: true,
    // To password protect the Node-RED editor and admin API, the following
    // property can be used. See http://nodered.org/docs/security.html for details.
    adminAuth: {
        type: "credentials",
        users: [{
            username: "admin",
            password: "$2a$10$/fez.6myraxZpa0wyfnO4e6Ps0GygnyjzXrEGXHhu6YoRm2q13XJS",
            permissions: "*"
        }]
    }
}
  1. Open Edge Profile Builder, browse to http://localhost:8082, within Projects open the project and profile that contains the Node-RED application.
  2. Click the application and the Files tab, select the adlinkedge folder and the config folder. Click Upload file and Choose file, browse to the folder which contains the ‘settings.js’ file, select the file, click Open and then Upload.
  1. Click Save Changes.

Secure Portainer

Portainer is included by default with Edge Profile Builder, users need to consider this when planning to deploy a secure app set up. Either remove Portainer from the deployment or see https://documentation.portainer.io/v2.0/deploy/ssl/ for instructions on how to set up HTTPS access.