On the backend, the APS controller interacts with APS application instances activated inside APS application connectors. APS connectors are usually deployed on the APS PHP runtime although other frameworks are also possible.
In this document:
When the APS controller requests an APS connector to create an APS application instance, it initiates one of authentication protocols as mentioned in the Authentication section.
The default authentication of an APS application instance is ensured by two X509 SSL certificates:
APSC.crt
, is used by the application to validate incoming
connections from the APS controller.App.crt
, is used by the application to identify itself
when connecting to the APS controller.An APS application connector integrates an original application with the platform usually through a single APS application instance. In rare cases, an APS application connector has more APS application instances. In the latter case, each instance has its own configuration including its own application certificate and the private key.
As explained in the SSL Authentication of Application Instances section, when installing an APS application instance on an APS application connector, the APS controller generates the SSL certificate and the private key for that instance and then sends the following to the APS application connector:
Preliminary, an administrator must have a unique OAuth-1.0a pair of a key and secret that both the APS controller and an APS connector will share for authentication. The APS connector must be able to use the OAuth-1.0 protocol.
When initiating the APS controller to create an APS application instance on an APS connector, the respective REST
request must specify the aps.auth
section with the shared pair of OAuth parameters, as in the following example:
POST /aps/2/applications/
{
"aps": {
"package": {
"type": "http://event-mgmt.demo.apsdemo.org/vpscloud"
},
"endpoint": "https://endpoint.isv1.example.com:443/vpsclouds",
"auth": {
"oauth": {
"key": "c4b3510e-a432-4e2c-940c-d151e05b68fg",
"secret": "b57247b4-8174-420c-aa0f-1f7f863bb616"
}
}
},
...
}
PHP Framework provides for APS connectors the authentication method based on SSL.
If an APS connector is deployed over the APS PHP framework, all its APS application instances are physically
presented by the config/
folder inside the folder where the APS application connector is deployed. For example, if
an APS application connector is deployed in the /var/www/html/basic/
folder, an APS application instance is
presented in the /var/www/html/basic/config/
folder with the security files similar to the following:
# ls -l /var/www/html/basic/config/
total 16
-rw------- 1 apache apache 4227 Jun 7 09:46 a5b521c7-144d-47b6-b3c7-086e4dc30790
-rw------- 1 apache apache 1196 Jun 7 09:46 a5b521c7-144d-47b6-b3c7-086e4dc30790.apsc.pem
-rw------- 1 apache apache 2822 Jun 7 09:46 a5b521c7-144d-47b6-b3c7-086e4dc30790.pem
In the above list:
The file names are based on the UUID assigned to the APS application instance. If the provider installs one more instance on the same APS application connector, the three more files based on the new UUID and containing newly generated private key and certificate will appear in the same folder.
In a case of using your own backend framework based on Java, Python, Node.js, or another programming language, pay attention to the authentication procedures and recommendations provided in the SSL Authentication of Application Instances section. Based on a custom framework, an APS application instance must meet at least the following authentication requirements:
For both of the above cases, the APS controller sends the same SSL certificate that the application instance has received during its installation.
When developing an APS application connector, pay attention to the following security measures on the server side.
When an application method requests a list of resources, it can get all resources in all subscriptions, although the method typically needs the resources of a specific subscription only. To restrict the application access only to the resources of a specific account, the recommended way for an application is to impersonate that account as explained in Security Context.
The impersonation model requires an application to specify a required level of impersonation through the
security.json
file:
provider
level means unlimited impersonation and it is the default for those applications that are not aware
of this mechanism and thus do not contain the security.json
file in the APS package. This level allows
the application to impersonate any account.reseller
level allows the application to impersonate any reseller and any customer.customer
level allows the application to impersonate any customer.When installing an APS application instance, the provider will see the required impersonation level and must accept it or reject the installation. After deployment, the platform will allow the application to impersonate accounts in accordance with the accepted request.
If none of the above levels is required, the platform will not allow the application to impersonate any account.
That means the none
impersonation level.
Typically, an APS connector has the following sensitive assets:
Accordingly, probable threats are spotted on the following diagram and the table.
Location on the diagram | Threat | Impact |
---|---|---|
T1 | Leaking the application credentials | An adversary may access the original cloud application on behalf of the provider. |
T2 | Leaking the platform credentials | An adversary may access the platform on behalf of the application. |
T3 | APSC credentials spoofing | An adversary may access the original service API on behalf of the platform. |
T4 | Application API spoofing | An adversary may mount a MITM (man in the middle) attack against the APS connector causing information disclosure and tampering over the communication channel between the APS connector and the original API. |
T5 | Leaking of sensitive data from the APS connector storage | An adversary gets access to PII or other sensitive data and may blackmail the provider or use this data in other malicious ways. |
T6 | Insufficient authorization in APS connector API | An adversary may access APS connector resources without proper authorization. |
T7 | Other common threats for the web-application backend | Depends on the threat. |
Impact:
An adversary may access the original cloud application on behalf of the provider.
Mitigations:
encrypted
attribute.Impact:
An adversary may access the platform on behalf of the application.
Mitigations:
Impact:
An adversary may access the application API on behalf of the platform.
Mitigations:
Impact:
An adversary may mount an MITM attack against the APS connector causing information disclosure and tampering over a communication channel between APS connector and the original service API.
Mitigations:
Impact:
An adversary gets access to PII or other sensitive data and may blackmail the provider or use this data in other malicious ways.
Mitigations:
encrypted
attributes when storing secret data in the APS controller database.Impact:
An adversary may access the APS connector resources without proper authorization.
Mitigations:
In addition to the above APS specific threats, you should consider common Web application and REST backend security threats when developing APS connectors.
The set of probable threats including but not limited to:
Mitigations: