Security

Inventory Service supports TLS/SSL between itself and the plugin, regardless of transport. The scope of implementing SSL is beyond this document as plugin can be implemented in a variety of programming languages and use arbitrary libraries. We provide general guidelines only.

Inventory Service can work with self-signed SSL certificates, however in such case (as well if certificate could not be used by the Java 8 out of the box) you will have to provide us with the certificate file in .crt format. The certificate file must begin with

----BEGIN CERTIFICATE-----

followed by Base64-encoded certificate, followed by

----END CERTIFICATE-----

Inventory service is able to use TLS if the plugin supports it. For implementation guide, follow the advice on https://github.com/grpc/grpc-java/blob/master/SECURITY.md (or other page relevant to the other programming language you are using). If implementing in Java, you can check out the sample plugin (also see Using the sample plugin) which contains the necessary code required for TLS to work.

We are using version 2 of OkHttp library for making client-to-server connections. According to the specification, the following transport options are supported:

gRPC supports shared secret authentication, effectively disabling any unauthorized access from any external source. It works by configuring arbitrary secret phrase on the server (plugin) end and providing the same phrase on the client (Inventory Service) end. If the phrase does not match, none of the services would respond.

Shared secret feature can work with or without TLS.

Check out the sample plugin for how the shared secret should be implemented.

REST plugin offers the ability to configure shared secret in the form of basic access authentication. The authentication can work with or without TLS.