Managing security access on base stations on a ThingPark Enterprise SaaS platform
Authentication is the process that verifies that the base stations connecting to the ThingPark Enterprise platform are those that claim to access the platform. Thus, only authenticated base stations will be able to connect to the platform. This security measure prevents not authorized base station or any network element from malicious access.
On a ThingPark Enterprise SaaS platform, as of version 5.2.2, a base station is authenticated according to a private/public Key Authentication principle.
To learn more about security access on ThingPark Enterprise Saas, see Security architecture description in the private resources area. You must be logged in with your Customers & Partners account to access the private resources area.
Public-key cryptography, also known as asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes authentication function, where the Public Key verifies that a holder of the paired private key sent the message.
Once authenticated, the base station shall retrieve its security certificates (X.509-based) to establish a secure VPN tunnel towards the ThingPark Enterprise Cloud backend. This VPN tunnel is typically based on IPsec protocol, but TLS protocol is also supported as an alternative to IPsec.
The private/public key authentication is used when the base station contacts the Network Server for the first time. That allows a specific base station to retrieve its own X.509 certificate. The X.509 certificate is then used by the base station to establish the IPsec tunnel securing the link toward the Network Server of the ThingPark Enterprise SaaS platform.
IP filtering was used in previous ThingPark Enterprise versions instead of private/public key authentication. This new authentication scheme provides a stronger security and more flexibility as public IP of the base station is not needed to be static.
The workflow for a ThingPark Enterprise SaaS platform is as follows:
Reinforcing security Using Private/Public Keys on a ThingPark Enterprise SaaS platform
The Public Key authentication functionality must be enabled on the base stations that you want to provision on your ThingPark Enterprise platform. As of ThingPark Enterprise 5.2.2, all base stations are provided with this functionality.
There are two cases where you need to generate a private/public key pair to secure your ThingPark Enterprise SaaS platform:
When provisioning a new base station.
When activating the feature on an existing base station.
Case 1 - When provisioning a new base station
Step 1: Get the LRR UUID and the Public Key using the base station configuration tool called SUPLOG via SSH. Note that the LRR UUID is also available on the package of the base station.
Step 2: Activate the base station using the ThingPark Enterprise user interface.
To learn more, see the TP Enterprise BS Installation Guide corresponding to your base station model. This document is available by clicking Download the base station documentation from the base station's detailed view. A link to these documents is also available in Supported brands of base stations.
To learn more, see Provisioning the base station on ThingPark GUI.
Case 2 - When activating the feature on an existing base station
Prerequisites To activate the Public Key Authentication mode on an existing base station, the LRR software version should be at least 2.4.42 or higher. If not, upgrade the LRR software version.
Step 1: Activate the Public Key using SUPLOG via SSH.
Step 2: Add the new Public Key using the ThingPark Enterprise user interface.
The following table summarizes the cases where you need to activate Public Key Authentication on a base station on a ThingPark Enterprise SaaS platform.
|Tools/Actions per case||Provisioning a new base station||Activating the feature on an existing base station|
|SUPLOG||Get the LRR UUID (or from the package),Get the Public Key.||Activate the Public Key Authentication,Get a new Public KeyNOTE: This can also be done via the Remote Access which is accessible from the ThingPark Enterprise user interface.|
|ThingPark Enterprise user interface||Enter the values of the LRR UUID and the Public Key in the base station provisioning form to activate the base station||Enter the new Public Key.|
Activating the Public Key Authentication on a ThingPark Enterprise SaaS platform
As described in the preceding topic, secure access of the base station to ThingPark Enterprise backend relies on public/private key pairs. This topic guides you through the procedure to activate this feature on existing base stations.
Prerequisites To activate the Public Key Authentication mode on an existing base station, the LRR software version should be at least 2.4.42 or higher. If not, please upgrade the LRR software version.
Activating the Public Key using SUPLOG via SSH
Note You can retrieve the Public Key either using SUPLOG via SSH or using the remote access which is accessible from the ThingPark Enterprise user interface.
Select Base Stations.
On the List tab, select the updated base station for which you want to change the Public Key (001558-46584254C00014EF).
Select the Advanced tab, and go to REMOTE ACCESS.
In Remote access, click OPEN SESSION.
-> You are connected to SUPLOG.
In the main menu go to VPN Configuration.
Go to Key Installer Public Key authentication.
-> You are asked if you want to enable the Public Key Authentication.
Enter "x" and confirm your choice.
Generate the Public Key as explained in Provisioning the base station on ThingPark GUI.
Copy the new Public Key.
Adding the new Public Key Using the ThingPark Enterprise user interface
Select Base Stations.
On the List tab, select the base station for which you want to change the Public Key, for instance, My_Pico_BS.
Select the Advanced tab, and go to SECURITY.
The base station security information appears as follows:
In Public key, click MANAGE.
A similar screen displays:warning
You must use this command carefully as setting a wrong Public Key will disconnect the base station.
Enter the new Public Key that you retrieved from SUPLOG or the remote access.
-> A confirmation notification displays on your screen.
Note If the same Public Key is re-used, an error message displays on
-> You need to regenerate a new Public Key.