Command Bus Security

The command bus that enables communication between the Controller and Agents/Workers can be secured against command injection with a cryptographic signing of commands by the Controller that can be checked by the Agents/Workers.

Command signing

Commands can be signed using ECDSA crytographic signatures. The operator is in responsible for passing the keys securily to the Tawon components.

tawonctl offers utilities to generate the ECDSA keys required to sign and verify signatures on Commands. We will show examples using the tawonctl utils, but you can generate they key pair with preferred method.

`tawonctl utils ecdsa strings`

You can generate new random keys with:

tawonctl utils ecdsa strings

This will print out base64 encoded private and public keys, with their configuration flags, which can be directly added to the respective tawon commands. For example (keys shortened for this example):

Private key (Controller):

--cmd.bus.priv.pem LS0tLS1CRUdJTiBFQyBQ...

Public key (Agent/Worker):

--cmd.bus.pub.pem LS0tLS1CRUdJTiBQVUJMS...

`tawonctl utils ecdsa files`

You may also generate PEM files for your private and public keys and pass those to the Controller and Agent/Worker :

tawonctl utils ecdsa files

By default this will create priv.pem and pub.pem files in the current directory (add --help to see how to change exported file names).

You can then pass these files as arguments to the Controller:

--cmd.bus.priv.file priv.pem

…and Agents/Workers:

--cmd.bus.pub.file pub.pem

Command expiration

If command signing is enabled, commands have a 30s duration before they will be considered expired by the Agents/Workers. This means the Agents/Workers will check the timestamp of the Directive and will not accept it if the timestamp of the Command is over the expire duration.

The duration can be changed with the --cmd.bus.expire flag. (e.g. --cmd.bus.expire 10m)

This expiration is only checked if signing is enabled, see above.

If clocks on your machines are not relatively in sync, or the transport for commands can take time, you can set the expiration to an arbitrarily high value (e.g. --cmd.bus.expire 100000h)

NATS Security

NATS is the default transport for commands. It offers encryption and client authentication through TLS. You can set the root CA used on your NATS TLS configuration with the --cmd.bus.msg.nats.tls.root (path to PEM file expected). And you can set client TLS authentication key pair with --cmd.bus.msg.nats.tls.key and --cmd.bus.msg.nats.tls.cert.

You can also use username and password authentication with --cmd.bus.msg.nats.authuser and --cmd.bus.msg.nats.authpass.