Secure Edge Profile Builder and Edge Platform

Reading Time: 6 minutes

The ADLINK Data River does not include encryption or authentication by default. The Edge SDK provides the means to protect data on the Data River, it restricts which applications can access data. You can also protect data at Tag Group level and specify access control rules.

To create a secure Data River and the requirements for the applications which connect to the Data River to ensure they are compliant with the rules, you require a number of certificates, keys and configuration files. The Edge SDK securitycomposer tool uses these files to generate the documents you need to secure Edge Profile Builder, Edge Agent and Edge Docker Monitor.

Users may also want to provide custom ssl certificates/keys to increase the security of https (user CA signed certificates rather than self-signed). This is possible following the release of profile builder v4.

Generate the secure Data River configuration files

Refer to Secure Data River Configuration to create the files you need to secure Edge Profile Builder, Edge Agent and Edge Docker Monitor.

Add the files to the configuration directories

You must have Edge Profile Builder 4.0.0 installed, for information about how to install Edge Profile Builder, refer to one of the following:

You must have Edge Platform 1.0.0 installed on your target device(s). This includes Edge Agent 2.0.0 and Edge Docker Monitor 1.0.0. Refer to I want to install ADLINK Edge Platform on Ubuntu 18.04 and Jetpack.

Note: The Edge Platform implements user restrictions and permissions for its associated files and directories on target devices, however, it does not encrypt these files or those that are deployed to a device. It is therefore recommended that you encrypt a target device’s disks and/or volumes using, for example, LUKS. Consult your OS distribution’s documentation for how to do this.

Edge Profile Builder – Ubuntu

  1. Create a Data River security sub-directory for Edge Profile Builder.
sudo mkdir /etc/edge-profile-builder/secure-data-river
  1. Ensure your working directory is the folder that contains all of the secure Data River configuration files and copy these into the Data River security sub-directory for Edge Profile Builder you created in step 1.
sudo cp ./* /etc/edge-profile-builder/secure-data-river/
  1. Update the runtime configuration to use the new secure Data River configuration, open the runtime.env file from ‘/etc/edge-profile-builder/runtime.env’.
nano /etc/edge-profile-builder/runtime.env

Modify the ‘ADLINK_DATARIVER_URI’ environment variable to the path for the new configuration files.

Note: The edge-profile-builder deb package’s configuration directory (`/etc/edge-profile-builder`) is bind-mounted inside the container at the location `/adlinkedge/config`, so absolute file paths (including file:// URI’s) should replace `/etc/edge-profile-builder` with `/adlinkedge/config`, as below.

The file should look as follows, with the path to the newly created secure data river configuration files, in the secure-data-river sub-directory:

# Please note, when referencing file locations, the current directory ('/etc/edge-profile-builder') is bind-mounted to the edge-profile-builder Docker container (at location '/adlinkedge/config'), so any file references should use the '/adlinkedge/config/' prefix.
export ADLINK_DATARIVER_URI=file:///adlinkedge/config/secure-data-river/edge-profile-builder_datariver_config.xml
export LOG_LEVEL=INFO
export PORT=8082
  1. Restart the edge-profile-builder docker container:
docker restart edge-profile-builder

Edge Profile Builder – VirtualBox Virtual Machine (OVA distribution)

  1. Locate the IP address of the VM, start the VM in normal mode and log in with the default username ‘root’ and password ‘root’. Run the following command to list the VM’s network interfaces:
ip -br a

Note the IP address of the network interface to you will use to communicate through from the host machine. In the example below, ‘enp0s8’ uses the address ‘192.168.0.74’ this is the IP address to use to copy the security files to the VM.

  1. Enable SSH on the VM, open the sshd_config file from ‘/etc/ssh/sshd_config’.
nano /etc/ssh/sshd_config
  1. Locate the line ‘#PermitRootLogin prohibit-password’ (usually line 32), remove the ‘#’ and update the configuration value to ‘yes’, the line should read as follows:

Note: If security is a concern, you can configure ssh to use more secure ssh keys.

  1. Restart the SSH service with the following command:
systemctl restart ssh
  1. Create the secure Data River sub-directory for Edge Profile Builder:
mkdir -p /etc/edge-profile-builder/secure-data-river
  1. Copy the secure Data River configuration files onto the VM. From the working directory on the host machine where the configuration files are located, run the following command to SCP the files for Edge Profile Builder to the VM, replacing <VM IP address> with the IP address from step 1:
scp ./* root@<VM IP address>:/etc/edge-profile-builder/secure-data-river
  1. (Optional) Disable SSH on the VM, open the sshd_config file from /etc/ssh/sshd_config, locate the ‘PermitRootLogin yes’ line (usually line 32). Add the ‘#’ to the start of the line and update the configuration value to ‘prohibit-password’, the line should be as follows:

Restart the SSH service.

systemctl restart ssh
  1. Update the Edge Profile Builder package configuration in the VM to use the new secure Data River configuration, open the runtime.sh file from ‘/etc/edge-profile-builder/runtime.sh’.
nano /etc/edge-profile-builder/runtime.sh

Modify the ‘ADLINK_DATARIVER_URI’ environment variable to the path for the new configuration files, the file should look as follows:

# Please note, when referencing file locations, the current directory ('/etc/edge-profile-builder') is bind-mounted to the edge-profile-builder Docker container (at location '/adlinkedge/config'), so any file references should use the '/adlinkedge/config/' prefix.
export ADLINK_DATARIVER_URI=file:///adlinkedge/config/secure-data-river/edge-profile-builder_datariver_config.xml
export LOG_LEVEL=INFO
export PORT=8082
  1. Restart the edge-profile-builder docker container:
docker restart edge-profile-builder

Edge Agent

Note: You may wish to use SSH and SCP to interface-with and configure the target device.

  1. Create a Data River security sub-directory for the Edge Agent on the target device.
sudo mkdir /etc/edge-agent/secure-data-river
  1. Ensure your working directory is the folder that contains all of the secure Data River configuration files and copy these into the Data River security sub-directory for the Edge Agent you created in step 1.
sudo cp ./* /etc/edge-agent/secure-data-river/
  1. Update the systemctl service configuration to use the new secure data river configuration. Open the systemctl service configuration editor:
sudo systemctl edit edge-agent

Paste the following and modify the `ADLINK_DATARIVER_URI` environment variable path to the newly created configuration files if necessary:

[Service]
Environment=ADLINK_DATARIVER_URI=file:///etc/edge-agent/secure-data-river/edge-agent_datariver_config.xml
  1. Restart the edge-agent:
sudo systemctl daemon-reload
sudo systemctl restart edge-agent

Edge Docker Monitor

Note: You may wish to use SSH and SCP to interface-with and configure the target device.

  1. Create a Data River security sub-directory for Edge Docker Monitor on the target device.
sudo mkdir /etc/edge-docker-monitor/secure-data-river
  1. Ensure your working directory is the folder that contains all of the secure Data River configuration files and copy these into the Data River security sub-directory for Edge Docker Monitor you created in step 1.
sudo cp ./* /etc/edge-docker-monitor/secure-data-river/
  1. Update the systemctl service configuration to use the new secure data river configuration. Open the systemctl service configuration editor:
sudo systemctl edit edge-docker-monitor

Paste in the following and modify the `ADLINK_DATARIVER_URI` environment variable path to the newly created configuration files if necessary:

[Service]
Environment=ADLINK_DATARIVER_URI=file:///etc/edge-docker-monitor/secure-data-river/edge-docker-monitor_datariver_config.xml
  1. Restart the edge-docker-monitor:
sudo systemctl daemon-reload
sudo systemctl restart edge-docker-monitor

Custom SSL certificate and key for https

There are a number of ways to create self-signed certificates and keys, the following steps use Ubuntu 18.04 with OpenSSL installed. For Windows, refer to Microsoft support. When you deploy Edge Profile Builder in a server environment with a fixed domain owned by the user it may be possible to obtain/buy certificates from an internationally recognised CA (e.g. lets encrypt / Entrust DataCard).

  1. Create a self-signed Certificate Authority (CA), this must be manually added to each user’s browser by an administrator as a ‘trusted authority’ to ensure any following certificates signed by the CA are trusted by the web browser.

Create the rootCA’s private key:

openssl genrsa -out rootCA.key 2048

Create a self-signed certificate for the rootCA:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
  1. Create the edge-profile-builder private key and certificate sign request with the pre-made configuration:
openssl req -out edge-profile-builder.csr -newkey rsa:2048 -nodes -keyout edge-profile-builder.key
  1. Create the edge-profile-builder certificate with the rootCA signing request. To create the additional configuration for the certificate signing process, use a text editor to write the following into a new file and save the file as ‘edge-profile-builder.ext’. Modify the “alt_names” section to suit your deployment (providing either the servers domain name(s), IP address(es), or a combination of both).
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.28rbaulknetwork # This is my routers domain name
DNS.2 = jon-latitude-5510.28rbaulknetwork # This subdomain refers to the server that is hosting the profile builder instance
DNS.3 = jon-latitude-5510 # This is the hostname of the profile builder server, for if it is accessed directly
IP.1 = 192.168.1.127 # Optionally, add an IP address (if the connection you have planned requires it)

Create the certificate from the certificate signing request and the extra configuration:

openssl x509 -req -in edge-profile-builder.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out edge-profile-builder.pem -days 825 -sha256 -extfile edge-profile-builder.ext
  1. Copy the following files to the Edge Profile Builder host machine into the ‘etc/edge-profile-builder/https’ directory.

Note: You may need to create the ‘/https’ sub-directory if it does not already exist.

  1. Restart Edge Profile Builder:
docker restart edge-profile-builder
  1. Add the rootCA.cert (certificate) to the trusted authorities of each user’s web browser. For more information about how to do this, refer to the support for your web browser.