No support for certificate based secure communication

[sudhamani-hcl]

🚀 Feature Request

Relevant Package [REQUIRED]

This feature request is for certificate based secure communication. ### Description [**REQUIRED**] There is no support for certificate based secure client and server in the current version 3 of device-rest service ### Describe the solution you'd like No. It would be good if someone implements this feature. ### Describe alternatives you've considered No

[lenny-goodell]

@sudhamani-hcl , Please describe the solution you would like with details like if SSL only needed for the command requests to the device? or also for async data push from the device?

[sudhamani-hcl]

Hi @lenny-intel,

The requirement is:

1. Device service should get secrets (certificates, private key) from the secret store.
2. Device service should use SSL based security for command requests to end device as well as async data push from end device also.

Thanks, Sudhamani.

[lenny-goodell]

@sudhamani-hcl , SSL command requests to end device should work today. i.e. no special cert need if using standard CA certs from base Alpine image (Docker) or system (Snap)

Allowing SSL from device to device service is what will need to be added and it should be on a separate port from the standard Device Service APIs which are called from the other local EdgeX Services.

[cloudxxx8]

@sudhamani-hcl you can leverage the SDK service to get secret provider to retrive credentials from the secret store https://github.com/edgexfoundry/device-sdk-go/blob/5a7d05295c20c4306666c126d05bdc304538796c/pkg/service/service.go#L179

[sudhamani-hcl]

@sudhamani-hcl , SSL command requests to end device should work today. i.e. no special cert need if using standard CA certs from base Alpine image (Docker) or system (Snap)

Thanks @lenny-intel for the input. However I have below query. Do we not need client certificate to communicate to end devices? If client certificate is needed, then from where it is getting in the current solution? Thanks in advance.

[sudhamani-hcl]

@sudhamani-hcl you can leverage the SDK service to get secret provider to retrive credentials from the secret store https://github.com/edgexfoundry/device-sdk-go/blob/5a7d05295c20c4306666c126d05bdc304538796c/pkg/service/service.go#L179

Thank you @cloudxxx8 for the response. Does this include certificate retrieval also? We have the requirement to store client certificate and retrieve it back from the secret store to establish SSL communication with the end device. Please let us know any inputs regarding this.

[lenny-goodell]

Does this include certificate retrieval also?

Yes, see docs here: https://docs.edgexfoundry.org/3.0/microservices/device/sdk/SDK-Go-API/#secretprovider https://docs.edgexfoundry.org/3.0/security/Ch-SecretProviderApi/#getsecret

[lindseysimple]

Hi @sudhamani-hcl , just wonder if you have any plan or bandwidth to implement this issue and https://github.com/edgexfoundry/device-mqtt-go/issues/616 in the next Odessa 3.2 release? Thanks.

[sudhamani-hcl]

Hi @lindseysimple ,

Please note that we wanted it for one of our needs and we went ahead without security. And please understand that currently we do not have bandwidth to implement this.

Thanks, Sudhamani