Secure Installation

General Description

The Secure Installation component provides the means to securely install applications on the ZDMP platform. This component acts on behalf of the user when they request an installation of a zApp through the ZDMP Marketplace (the trustworthy Marketplace developed for hosting zApps). It allows a secure downloading process from the Marketplace, and the policies the zApp is requesting (eg access to databases). A given zApp is not directly installed in the ZDMP platform unless it passes the review of the IT administrator. By leveraging the Security Command Centre UI, the IT Administrator can then accept or reject the policies a given zApp is requesting. Once approved, the IT administrator can then install the zApp (deploying it into the Application Runtime). Additionally, through the Security Command Centre UI the IT administrator can install a Certificate Authority (CA), as well as issue a client certificate for any of the installed CAs.

ResourceLocation
Source CodeLink
X Open API SpecLink
VideoLink
DocumentationLink
MarketplaceLink

The date of generation of this component content is: 6 May 2021

Screenshots

The following images are illustrative screen shots of the component

Figure 41: Secure installation overview

Component Author(s)

Company NameZDMP AcronymWebsiteLogo
IKERLANIKERwww.ikerlan.es

Commercial Information

ResourceLocation
IPR LinkLink

Architecture Diagram

The following diagram shows the position of this component in the ZDMP architecture

Figure 42: Position of Component in ZDMP Architecture

Benefits

  • Configure and revise zApp permissions before they are installed to the ZDMP platform, so that they only have access to those components that are essential, enabling the least privilege policy and avoiding unwanted access

  • Deploy zApps to the ZDMP platform semi-automatically, to save time and effort

Features

The features to achieve the functionality of this component are itemised below and explained thereafter:

  • Security Command Centre

  • Installation Broker

Security Command Centre

The Security Command Centre is the main subcomponent of the security component architecture. It provides the following features:

  • Security policies creation: Security policies can be created/reviewed in this GUI. This process is conducted each time that a new zApp is approved for installation so that its access permissions are well established

  • User policies creation: Security administrators can register and edit roles for users and zApps that permit access to ZDMP resources (eg to the storage component) in this GUI

  • Security certificates control: In this function, the installation of new root certificates and the revocation of user certificates can be done. These actions are critical to keep the ZDMP platform secure and can be triggered manually by a security administrator

Installation Broker

The Installation Broker Service is the module that supports the Security Command Centre in the downloading and installation of a new zApp. It provides the following features:

  • ZApps installation: Users request the installation of the zApp package through the Security Command Centre UI. Then, the user must accept all the policies specified by the zApp request and the installation to the application-runtime environment is processed

  • ZApps verification: The Installation Broker Service conducts the security checks, such the manifest signature verification, on the downloaded zApp package

  • ZApp permissions creation: When the security checks are successful, the Installation Broker Service requests the Security Command Centre to create relationships between the user, the zApp and the required permissions

  • Multitenancy: The component at hand is able to store and manage data from different organizations (tenants)

System Requirements

Minimal requirements needed:

  • Computer with Docker Engine installed (tested in v19.03.8, on Windows)

  • The average resources needed to run this component are: 2 CPUs, 2GB memory and 10GB free space on disk

Installation

The installation of this component is performed using rancher UI:

  1. Find the appropriate helm chart in the configured catalog. The chart name is zdmp-secure-authentication

Imagen que contiene Aplicación Descripción generada automáticamente

  1. Select the latest template version of the chart (as of the time being, v3.0.0)

Interfaz de usuario gráfica, Texto, Aplicación, Correo electrónico Descripción generada automáticamente

  1. Provide your own credentials used to fetch the catalog (ie use HCE Gitlab credentials)

Interfaz de usuario gráfica, Texto, Aplicación Descripción generada automáticamente

  1. Pay stay special attention to the domain variable. If deploying in the reference platform, use platform.zdmp.eu, otherwise for miniZDMP use the zdmp.home. Also configure the storage type accordingly. For the reference platform use NFS and for miniZDMP use hostPath

Interfaz de usuario gráfica, Aplicación, Teams Descripción generada automáticamente

  1. Obtain the current rancher catalog ID and project ID from the URL. For the API Key, go to the appropriate tab in rancher and generate a new key. Finally provide https://product-license-manager-zdmp.platform.zdmp.eu/ for the PLM URL field

Interfaz de usuario gráfica, Texto, Aplicación Descripción generada automáticamente

  1. Launch the deployment and get the ingress URL from rancher

How to use

The insights on how to use this component are itemised below and explained thereafter:

  • Access to the Security Command Centre UI

  • Retrieving zApp Installation Requests

  • Creating zApp Installation Requests

  • Reviewing and deploying a zApp to the Application Runtime

Access to the Security Command Centre UI

Once subsystems are launched the Security Command Centre UI can be accessed at http://localhost:3000 if you are using a local version of the component, or https://security-command-center-zdmp.platform.zdmp.eu/ if you are using the Cloud version.

The browser renders the following login page:

The Dash Button component manages the authentication process. Once completed, the user gets redirected back to the Security Command Centre UI.

Note: The logged user should have the ZDMP_IT_Security_Commander role, otherwise it is not allowed to interact with the system.

Interfaz de usuario gráfica, Aplicación, Tabla Descripción generada automáticamente

Figure 43: Security command centre UI – zApp Install Requests

Retrieving zApp installation requests

Once logged in, the zApp installation requests list can be viewed by clicking on the left menu “zApp Install Requests”.

Here the IT administrator can view the zApps already installed and the ones that are available to be installed.

To launch the installation process, the user must simply click on the deploy to app runtime button and proceed with Deploying a zApp to the Application Runtime instructions down below.

If the left arrow of an installed zApp is clicked, a new panel is displayed with the list of URLs associated with that zApp. The number of displayed URLs depends on each zApp and how they were developed (zApps developers decide which subcomponents will have a URL and at least one is expected per zApp). If no URLs are shown, please refresh the page after a couple of minutes. If after some time there are no URLs listed, contact ZDMP.

Deploying a zApp to the Application Runtime

Those zApps in the PARSED_MANIFEST status, requires one last step to actually deploy them to the Application Runtime component. That is because each zApp has some configurable parameters defined by the zApp developer, but the platform cannot infer those values and thus the user must specify them manually.

By Clicking on the “Deploy to App Runtime” button, a new modal window is displayed with the mentioned configuration form:

Interfaz de usuario gráfica, Tabla Descripción generada automáticamente

Some fields will have a default value set, but others will not. If you do not know how to complete the form, please contact the zApp developer as this form is dynamically generated based on some parameters defined by the developer.

Once the form is completed, click on the “Deploy” button and your zApp should change to the DEPLOY_SUCESS status. Checkout the Retrieving zApp installation requests section for more details on how to obtain the URLs for accessing the zApp.

Last modified October 26, 2023