1.1 Secure Connectivity Framework
Thredd’s Secure Connectivity Framework is the combination of several components which enable secure access to Thredd’s resources, using a common identity store. The main components are:
Cloudentity
A Software as a Service (SaaS) capability which acts as the Identity Provider (IDP) for Thredd’s interfaces (including Thredd CA and Thredd Portal) and as an OAuth OpenID Provider (OP) for the registration and management of customer applications, generation and validation of access tokens, and for the enforcement of access control policies.
The following figure illustrates Cloudentity and its relationship with other components.
Figure 1: Secure Connectivity Framework Including Cloudentity, Thredd CA, and Various Thredd Services
Thredd CA
Thredd CA is Thredd’s Certificate Authority for setting up and managing certificates to connect to various services. The certificates include:
-
Transport Certificates — for establishing secure connections between resources.
-
Signing Certificates — for the creation of signed messages, used for authentication of clients, and non-repudiation and authentication of notifications.
The following table shows the certificates that are needed for each Thredd application.
|
Thredd Application |
Transport Certificate |
Signing Certificate |
Other Certificates |
Cloud Entity |
|---|---|---|---|---|
|
REST API |
√ |
√ |
n/a |
x |
|
SOAP API |
√ |
x |
n/a |
x |
|
External Host Interface (EHI) |
x (provided by Thredd) |
x |
Root and Issuing |
x |
|
Thredd Portal |
x (pre-installed) |
x |
n/a |
√ |
|
Smart Client |
x (pre-installed) |
x |
n/a |
x |
Additional details
|
Thredd Application |
Certificates Required |
|---|---|
|
REST API |
Transport Certificates and Signing Certificates |
|
SOAP |
Transport Certificates |
|
External Host Interface (EHI) |
Root and Issuing Certificates. These are used to verify Transport Certificates presented by Thredd. |
|
Thredd Portal |
Transport Certificates (pre-installed) |
|
Smart Client |
Transport Certificates (bundled in the installer) |
mTLS Termination
mTLS Termination requires on-premise infrastructure for establishing Trust Chains. Trust Chains, which are used to prove that a certificate originates from a legitimate source, are established when clients present Thredd-issued Transport Certificates for connecting to protected resources. This is used exclusively in EHI.