Date   

Cancelled Event: EdgeX Security WG Meeting (Weekly) - Wednesday, 20 March 2019 #cal-cancelled

EdgeX-TSC-Security@lists.edgexfoundry.org Calendar <EdgeX-TSC-Security@...>
 

Cancelled: EdgeX Security WG Meeting (Weekly)

This event has been cancelled.

When:
Wednesday, 20 March 2019
8:00am to 9:00am
(GMT-07:00) America/Los Angeles

Where:
https://zoom.us/j/576218946

Organizer:
EdgeX-TSC-Security@...

Description:
EdgeX Security WG Meeting. Meeting content posted to Security WG Wiki.
Meeting Lead: David Ferriera, Security WG Chair, david.ferriera@...
-----
Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
    Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
    +1 855 880 1246 (US Toll Free)
    +1 877 369 0926 (US Toll Free)
    Meeting ID: 576 218 946
    International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx


last minute meeting cancel - with apologies

White2, James
 

All,

Our Security WG meeting for today has been cancelled.  Unfortunately, David F who was going to present his roadmap ideas is in a location where he is unable to connect.  We’ll reschedule David’s talk in the near future.

 

Next week, we’ll be looking at some early designs around storing secrets in Vault.  Again, apologies for the late notice.

Jim


EdgeX Security WG Meeting (Weekly) - Wed, 03/06/2019 8:00am-9:00am #cal-reminder

EdgeX-TSC-Security@lists.edgexfoundry.org Calendar <EdgeX-TSC-Security@...>
 

Reminder:
EdgeX Security WG Meeting (Weekly)

When:
Wednesday, 6 March 2019
8:00am to 9:00am
(GMT-08:00) America/Los Angeles

Where:
https://zoom.us/j/576218946

Organizer:
EdgeX-TSC-Security@...

Description:
EdgeX Security WG Meeting. Meeting content posted to Security WG Wiki.
Meeting Lead: David Ferriera, Security WG Chair, david.ferriera@...
-----
Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
    Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
    +1 855 880 1246 (US Toll Free)
    +1 877 369 0926 (US Toll Free)
    Meeting ID: 576 218 946
    International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

An RSVP is requested. Click here to RSVP


EdgeX Security WG Meeting (Weekly) - Wed, 02/20/2019 8:00am-9:00am #cal-reminder

EdgeX-TSC-Security@lists.edgexfoundry.org Calendar <EdgeX-TSC-Security@...>
 

Reminder:
EdgeX Security WG Meeting (Weekly)

When:
Wednesday, 20 February 2019
8:00am to 9:00am
(GMT-08:00) America/Los Angeles

Where:
https://zoom.us/j/576218946

Organizer:
EdgeX-TSC-Security@...

Description:
EdgeX Security WG Meeting. Meeting content posted to Security WG Wiki.
Meeting Lead: David Ferriera, Security WG Chair, david.ferriera@...
-----
Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
    Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
    +1 855 880 1246 (US Toll Free)
    +1 877 369 0926 (US Toll Free)
    Meeting ID: 576 218 946
    International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

An RSVP is requested. Click here to RSVP


EdgeX Security WG Meeting (Weekly) - Wed, 01/30/2019 8:00am-9:00am #cal-reminder

EdgeX-TSC-Security@lists.edgexfoundry.org Calendar <EdgeX-TSC-Security@...>
 

Reminder:
EdgeX Security WG Meeting (Weekly)

When:
Wednesday, 30 January 2019
8:00am to 9:00am
(GMT-08:00) America/Los Angeles

Where:
https://zoom.us/j/576218946

Organizer:
EdgeX-TSC-Security@...

Description:
EdgeX Security WG Meeting. Meeting content posted to Security WG Wiki.
Meeting Lead: David Ferriera, Security WG Chair, david.ferriera@...
-----
Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
    Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
    +1 855 880 1246 (US Toll Free)
    +1 877 369 0926 (US Toll Free)
    Meeting ID: 576 218 946
    International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

An RSVP is requested. Click here to RSVP


Abstract Registry proposal presentation

Goodell, Leonard <leonard.goodell@...>
 

 

All,

  Attached is the Abstract Registry proposal I presented in last week’s Core WG meeting.  

 

A few of us met on Monday to discuss Vault and how retrieving secrets could be included in this abstraction. Here are my notes from that meeting. We will continue this discuss in this week Core WG meeting.

 

Thanks!

   Lenny Goodell - Intel

 

-----------------------

Notes:

 

  • Vault
    • 3rd party app also from HashiCorp
    • Tightly coupled to Consul
    • Uses Consul features
      • Fail over
      • Clustering
    • We can’t insert an abstraction layer between 3rd party apps (Vault) and Consul.

 

  • What about abstracting use of Vault for getting values that are stored as secrets so micro services don’t have to be aware/care where the values come from.
    • How do we know which values are in Vault vs which values are in the Registry?
      • One approach is to have the value in the Registry indicate that it is actually a secret in Vault. Then go to Vault for the value.
      • Add a “secrets” path to the configuration like how we are looking at separating out “writeable”
        • Use of Vault vs Registry is determined by the configuration path.
          • If Vault is not enable, defaults to getting “secrets” in plain text from Registry’s …/secrets path
        • FYI, thought of this as I was typing up these notes… 😉
      • What about storing all values in Vault, if enabled?
        • Abstraction must know if Vault is enable.
        • No watcher capability in Vault
          • There might be a way to implement watcher capability via plug-in for Vault’s secrets engine
          • Could keep “writable” section in Registry so still have watcher capability. Assume these never need to be true secrets
            • Use of Vault vs Registry is determined by the configuration path.
    • Recap of Options:
      • Mixed data between Vault & Registry. Some unique value indicates stored as secret in Vault
        • Separate out secrets into “secrets” section/path so they come from Vault when it is enabled.
      • All values store as secrets Vault. No watch capability, implement plug-in for secret engine?
      • All non-writeable stored as secrets in Vault. Writable stored in Registry so they can be watched.

  • Other opens to discuss further
    • How are secrets “put” into Vault?
      • Pre-populated in some other manner?
      • Part of Seed service?
        • Add this capability to Abstraction?
    • Are we expecting a Registry UI to be exposed in production that allows config value changes?
      • Security concerns??
    • What is the approach for implementing this Registry Abstraction and Vault for Edinburgh?
      • Abstraction first so it can be used in the one service targeted for Vault
        • Abstraction must then have support for Vault
      • Separate efforts, Crawl Phase?
        • Abstraction doesn’t initially have support for Vault
        • Vault usage in target micro service is implemented directly against Vault for values that are known to be secrets.
        • Walk phase could a support for Vault to the Abstraction, but not required for Edinburgh.

 


Notes from Today's Registry Abstraction and Vault discussion

Goodell, Leonard <leonard.goodell@...>
 

All,
  Below are my notes from today’s discussion. Please add anything I may have missed. I added another option (highlighted below) that I thought of after our discussion.
 
Trevor, please add me to next Core WG meeting agenda to review this and talk about having a combined Core/Security WG meeting early January to try to close on this.
 
Thanks!
   Lenny
 
-----------------------
Notes:
 
  • Vault
  • 3rd party app also from HashiCorp
  • Tightly coupled to Consul
  • Uses Consul features
  • Fail over
  • Clustering
  • We can’t insert an abstraction layer between 3rd party apps (Vault) and Consul.
 
  • What about abstracting use of Vault for getting values that are stored as secrets so micro services don’t have to be aware/care where the values come from.
  • How do we know which values are in Vault vs which values are in the Registry?
  • One approach is to have the value in the Registry indicate that it is actually a secret in Vault. Then go to Vault for the value.
  • Add a “secrets” path to the configuration like how we are looking at separating out “writeable”
  • Use of Vault vs Registry is determined by the configuration path.
  • If Vault is not enable, defaults to getting “secrets” in plain text from Registry’s …/secrets path
  • FYI, thought of this as I was typing up these notes… 😉
  • What about storing all values in Vault, if enabled?
  • Abstraction must know if Vault is enable.
  • No watcher capability in Vault
  • There might be a way to implement watcher capability via plug-in for Vault’s secrets engine
  • Could keep “writable” section in Registry so still have watcher capability. Assume these never need to be true secrets
  • Use of Vault vs Registry is determined by the configuration path.
  • Recap of Options:
  • Mixed data between Vault & Registry. Some unique value indicates stored as secret in Vault
  • Separate out secrets into “secrets” section/path so they come from Vault when it is enabled.
  • All values store as secrets Vault. No watch capability, implement plug-in for secret engine?
  • All non-writeable stored as secrets in Vault. Writable stored in Registry so they can be watched.
  • Other opens to discuss further
  • How are secrets “put” into Vault?
  • Pre-populated in some other manner?
  • Part of Seed service?
  • Add this capability to Abstraction?
  • Are we expecting a Registry UI to be exposed in production that allows config value changes?
  • Security concerns??
  • What is the approach for implementing this Registry Abstraction and Vault for Edinburgh?
  • Abstraction first so it can be used in the one service targeted for Vault
  • Abstraction must then have support for Vault
  • Separate efforts, Crawl Phase?
  • Abstraction doesn’t initially have support for Vault
  • Vault usage in target micro service is implemented directly against Vault for values that are known to be secrets.
  • Walk phase could a support for Vault to the Abstraction, but not required for Edinburgh.


Hardware-based Secure Storage Design Document - Draft

David Ferriera
 

Hi All,

    I have uploaded the design document we have been discussing in the past two Security WG meetings.  It is in our google drive collaboration folder here.

    If you do not have access to the folder, submit the request when you are denied access and we will approve.

   I have also posted a PDF version of the document to the Security WG Wiki page (at the bottom in the Documents section).

Thanks,
-David

David Ferriera | Forgerock
Senior Director, Cloud Technology | Office of the CTO
m +1 408.454.8189 | w forgerock.com


Container Security

Gregg, James R
 
Edited

Per my conversation with David @ the Edinburgh F2F, here’s a tool we have begun to look at as part of our CI/CD pipeline. There’s a recent PR that now adresses the gap around filtering the scan to a specific container. We also only focus on the relevants checks related to the Docker container but can also look at the underlying host for black box testing. 
https://github.com/docker/docker-bench-security

Thank You, 
James Gregg 
Intel Corporation / IOTG RSD


Re: Potential security issues with EdgeX

Alexandre Courouble <acourouble@...>
 

Thank you for your response David. We are looking for ways to get involved with EdgeX, so this might be a good starting point.

 

Malini will be in Edinburgh for the F2F next week. I’m sure you two meetup.

 

Thanks,

--

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center

 

From: David Ferriera <david.ferriera@...>
Date: Thursday, October 18, 2018 at 1:32 PM
To: Alexandre Courouble <acourouble@...>, "edgex-tsc-security@..." <edgex-tsc-security@...>
Cc: Malini Bhandaru <mbhandaru@...>
Subject: Re: Potential security issues with EdgeX

 

Hi Alex,

 

    Thank you for the effort.  We welcome contributions.  We are always shorthanded in the security group.

 

   Code analysis has been on our list since the beginning.  If you have the resources to help us fix these and others, that would be great.  We would like to have this function be a part of our ongoing release process.

 

   Will you or any of your team be at the Edinburgh F2F next week?  If not, I will put this topic on one of our weekly meetings and invite you to discuss.

 

Thanks,

-David

 

David Ferriera | Forgerock

Senior Director, Cloud Technology | Office of the CTO

m +1 408.454.8189 | w forgerock.com

 

On October 16, 2018 at 4:17:11 PM, Alexandre Courouble (acourouble@...) wrote:

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center


Re: Potential security issues with EdgeX

Beau Frusetta
 

We can potentially help out in regards to code analysis. Let’s chat more next week in Edinburgh…

 

From: EdgeX-TSC-Security@... [mailto:EdgeX-TSC-Security@...] On Behalf Of David Ferriera
Sent: Thursday, October 18, 2018 13:32
To: Alexandre Courouble <acourouble@...>; edgex-tsc-security@...
Cc: Malini Bhandaru <mbhandaru@...>
Subject: Re: [Edgex-tsc-security] Potential security issues with EdgeX

 

Hi Alex,

 

    Thank you for the effort.  We welcome contributions.  We are always shorthanded in the security group.

 

   Code analysis has been on our list since the beginning.  If you have the resources to help us fix these and others, that would be great.  We would like to have this function be a part of our ongoing release process.

 

   Will you or any of your team be at the Edinburgh F2F next week?  If not, I will put this topic on one of our weekly meetings and invite you to discuss.

 

Thanks,

-David

 

David Ferriera | Forgerock

Senior Director, Cloud Technology | Office of the CTO

m +1 408.454.8189 | w forgerock.com

 

On October 16, 2018 at 4:17:11 PM, Alexandre Courouble (acourouble@...) wrote:

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center


Re: Potential security issues with EdgeX

David Ferriera
 

Hi Alex,

    Thank you for the effort.  We welcome contributions.  We are always shorthanded in the security group.

   Code analysis has been on our list since the beginning.  If you have the resources to help us fix these and others, that would be great.  We would like to have this function be a part of our ongoing release process.

   Will you or any of your team be at the Edinburgh F2F next week?  If not, I will put this topic on one of our weekly meetings and invite you to discuss.

Thanks,
-David

David Ferriera | Forgerock
Senior Director, Cloud Technology | Office of the CTO
m +1 408.454.8189 | w forgerock.com

On October 16, 2018 at 4:17:11 PM, Alexandre Courouble (acourouble@...) wrote:

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center


Re: Potential security issues with EdgeX

Malini Bhandaru
 

Agree Benjamin. We were under the impression the security mailing list was more restricted.

Does EdgeX have such a limited mailing list for security issues? If not we need to create one.

 

Regards

Malini

 

From: <EdgeX-TSC-Security@...> on behalf of Benjamin Cabé <benjamin.cabe@...>
Date: Wednesday, October 17, 2018 at 2:31 AM
To: "edgex-tsc-security@..." <edgex-tsc-security@...>
Subject: Re: [Edgex-tsc-security] Potential security issues with EdgeX

 

FWIW reporting security vulnerabilities on a *public* mailing list certainly sounds like a security anti-pattern as well…

 

On 17 Oct 2018, at 01:17, Alexandre Courouble <acourouble@...> wrote:

 

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center

<results.json>

 


Re: Potential security issues with EdgeX

Benjamin Cabé <benjamin.cabe@...>
 

FWIW reporting security vulnerabilities on a *public* mailing list certainly sounds like a security anti-pattern as well…

On 17 Oct 2018, at 01:17, Alexandre Courouble <acourouble@...> wrote:

Hello,
 
Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.
 
We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:
 
  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less
 
I’ve attached the gosec output to this email.
 
Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.
 
We would like to know how we should proceed further?
 
Potentially we could integrate gosec into the build pipeline.
 
Best regards,
-- 
Alex Courouble
Member of Technical Staff – Open Source Engineer
VMware Open Source Technology Center
<results.json>


Potential security issues with EdgeX

Alexandre Courouble <acourouble@...>
 

Hello,

 

Gosec (https://github.com/securego/gosec)  is a tool that parses the source code and looks for security anti-patterns.

 

We ran gosec against the EdgeX-go source code and uncovered a series of potential vulnerabilities including but not limited to:

 

  • Blacklisted import crypto/sha1: weak cryptographic primitive
  • Potential file inclusion via variable
  • Expect file permissions to be 0600 or less

 

I’ve attached the gosec output to this email.

 

Do these vulnerabilities seem critical to you? If so, we would love to contribute fixes.

 

We would like to know how we should proceed further?

 

Potentially we could integrate gosec into the build pipeline.

 

Best regards,

-- 

Alex Courouble

Member of Technical Staff – Open Source Engineer

VMware Open Source Technology Center


System Management working group call tomorrow - with presentation by Intel to start

White2, James
 

All,

A reminder that the System Management Working Group convenes tomorrow at 10am CDT.  Jay Chetty from Intel will present on Intel’s secure device provisioning proof-of-concept.

Jay will present for the first 30 minutes and members of both the system management and security working groups are encouraged to attend (along with the entire community) as the information may be useful to both groups.

Additionally, Akram Ahmed from the Dell team will present the current state of the system management implementation for the Delhi release (with a quick demo offered).  Some discussion about implementation options for start/stop/restart operations will follow his demo.

 

Find the full agenda and connection information here:  https://wiki.edgexfoundry.org/display/FA/Systems+Management+Working+Group.  I look forward to Jay’s visit and hope all of you can attend.

Jim White

Distinguished Engineer, IoT Platform Development Team Lead

EdgeX Foundry Technical Steering Committee Vice Chairman

Dell Technologies | IoT Solutions Division

Office +1 512-723-6139, mobile/text +1 612-916-6693

james_white2@...

 


Re: Failed to add certificate with errorcode 400

qq
 

vault-kong.sh file line 103 , "sk" should be "key",now is OK!

"404")
echo ">> (6) Create the Kong JSON with TLS certificate and private key (base64 encoded)"
jq -n --arg cert "$(cat ${_KONG_PEM}|base64)" 
--arg sk "$(cat ${_KONG_SK}|base64)" 
'{cert:$cert,sk:$sk}' > ${_PAYLOAD_KONG}



15599633@...

 
Date: 2018-09-01 11:25
Subject: Failed to add certificate with errorcode 400
Method 1. Run the Security Service with Docker-compose file. Make sure other EdgeX services start as usual (especially volume), then
```
cd Docker
docker-compose up -d vault
docker-compose up -d vault-worker
docker-compose up -d kong-db
docker-compose up -d kong-migrations
docker-compose up -d kong
docker-compose up -d edgex-proxy
```

edgex-proxy log:

edgex-proxy        | emp2WnBWeFFiVVRQZlFZbkNIY1p1ZS9oSmRsMmVHbUpjWUxFYWhtVwpHWEZHQmRJOEN4YjkzUW1p
edgex-proxy        | K1UxRGJzQWdudnF5ZUxxWXlja3BlZkw1UmRkSUpXMUMyMFM2dXp3MTUyeVY4VWRhCktJazlYL2lv
edgex-proxy        | UkJBSTRHbGpHWFRqeDN4N3ZDTDEyeVkvU0FlcWtWY0Y2VTlqVWgyUnRKQ2RnZzM1WlZpaTFocmMK
edgex-proxy        | UENkeWozVUY4SU01QUFUb1JNNGYyWERtZjJZTEVYRE9GMkREWkFIbXRGaW9TZ0x6ZEFaS2JobFMx
edgex-proxy        | U2ZBdVZBegpkM3lIVUZKa2FPUW4vWXphYUZKUFRhZGVhRW91NWNLOTZzeFVHS2E5eXV1UEtCeFkr
edgex-proxy        | bklTVzZCblcxYjhhdGVsCmdCQWlvWi9nbHVSRWtySDBtNXhkaEo0My92blZzSC9TNFBxQjhWL3po
edgex-proxy        | d0FmSTgrcDZjbWp2YlNaQ1IvK2RscnUKcExObHd4cE5uUitGQWpHSkJTRGdCQ3hPQzE4Q1dDWmV5
edgex-proxy        | ZXArY3hLOVU4dkJFb2JnTXk4NFVVaWxteTBmY1lsMwpxSU9ZQWFzNkowczhZc0J6MEtaSXlORU5a
edgex-proxy        | UzAwNXFVb09tRnF6TkZpV0U3Rm4zWVV2K0tScFo4MWdLRmtqbkJsCnVBeE9LMUk9Ci0tLS0tRU5E
edgex-proxy        | IENFUlRJRklDQVRFLS0tLS0K
edgex-proxy        | INFO: 2018/09/01 02:44:11 successful on retrieving certificate from v1/secret/edgex/pki/tls/edgex-kong.
edgex-proxy        | INFO: 2018/09/01 02:44:11 Trying to upload cert to proxy server.
edgex-proxy        | ERROR: 2018/09/01 02:44:11 Failed to add certificate with errorcode 400.
edgex-proxy        | INFO: 2018/09/01 02:44:11 Finishing initialization for reverse proxy


kong:

kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 159 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/exportclient/plugins/ HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 2018/09/01 02:44:11 [notice] 52#0: *3534 [lua] init.lua:391: insert(): ERROR: duplicate key value violates unique constraint "services_name_key"
kong               | Key (name)=(virtualdevice) already exists., client: 172.29.0.9, server: kong_admin, request: "POST /services/ HTTP/1.1", host: "kong:8001"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 161 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/virtualdevice/plugins/ HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 2018/09/01 02:44:11 [notice] 52#0: *3536 [lua] init.lua:391: insert(): ERROR: duplicate key value violates unique constraint "services_name_key"
kong               | Key (name)=(coredata) already exists., client: 172.29.0.9, server: kong_admin, request: "POST /services/ HTTP/1.1", host: "kong:8001"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 151 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/coredata/plugins/ HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/metadata/routes/ HTTP/1.1" 201 306 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/exportclient/routes/ HTTP/1.1" 201 310 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/virtualdevice/routes/ HTTP/1.1" 201 311 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/coredata/routes/ HTTP/1.1" 201 306 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/exportdistro/routes/ HTTP/1.1" 201 310 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/rulesengine/routes/ HTTP/1.1" 201 309 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/command/routes/ HTTP/1.1" 201 305 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/notifications/routes/ HTTP/1.1" 201 311 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/supportlogging/routes/ HTTP/1.1" 201 312 "-" "Go-http-client/1.1"
kong               | 2018/09/01 02:44:11 [notice] 52#0: *3547 [lua] init.lua:391: insert(): ERROR: duplicate key value violates unique constraint "services_name_key"
kong               | Key (name)=(admin) already exists., client: 172.29.0.9, server: kong_admin, request: "POST /services/ HTTP/1.1", host: "kong:8001"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 145 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/admin/routes HTTP/1.1" 201 298 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/admin/plugins HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /certificates/ HTTP/1.1" 400 37 "-" "Go-http-client/1.1"


15599633@...


Failed to add certificate with errorcode 400

qq
 

Method 1. Run the Security Service with Docker-compose file. Make sure other EdgeX services start as usual (especially volume), then
```
cd Docker
docker-compose up -d vault
docker-compose up -d vault-worker
docker-compose up -d kong-db
docker-compose up -d kong-migrations
docker-compose up -d kong
docker-compose up -d edgex-proxy
```

edgex-proxy log:

edgex-proxy        | emp2WnBWeFFiVVRQZlFZbkNIY1p1ZS9oSmRsMmVHbUpjWUxFYWhtVwpHWEZHQmRJOEN4YjkzUW1p
edgex-proxy        | K1UxRGJzQWdudnF5ZUxxWXlja3BlZkw1UmRkSUpXMUMyMFM2dXp3MTUyeVY4VWRhCktJazlYL2lv
edgex-proxy        | UkJBSTRHbGpHWFRqeDN4N3ZDTDEyeVkvU0FlcWtWY0Y2VTlqVWgyUnRKQ2RnZzM1WlZpaTFocmMK
edgex-proxy        | UENkeWozVUY4SU01QUFUb1JNNGYyWERtZjJZTEVYRE9GMkREWkFIbXRGaW9TZ0x6ZEFaS2JobFMx
edgex-proxy        | U2ZBdVZBegpkM3lIVUZKa2FPUW4vWXphYUZKUFRhZGVhRW91NWNLOTZzeFVHS2E5eXV1UEtCeFkr
edgex-proxy        | bklTVzZCblcxYjhhdGVsCmdCQWlvWi9nbHVSRWtySDBtNXhkaEo0My92blZzSC9TNFBxQjhWL3po
edgex-proxy        | d0FmSTgrcDZjbWp2YlNaQ1IvK2RscnUKcExObHd4cE5uUitGQWpHSkJTRGdCQ3hPQzE4Q1dDWmV5
edgex-proxy        | ZXArY3hLOVU4dkJFb2JnTXk4NFVVaWxteTBmY1lsMwpxSU9ZQWFzNkowczhZc0J6MEtaSXlORU5a
edgex-proxy        | UzAwNXFVb09tRnF6TkZpV0U3Rm4zWVV2K0tScFo4MWdLRmtqbkJsCnVBeE9LMUk9Ci0tLS0tRU5E
edgex-proxy        | IENFUlRJRklDQVRFLS0tLS0K
edgex-proxy        | INFO: 2018/09/01 02:44:11 successful on retrieving certificate from v1/secret/edgex/pki/tls/edgex-kong.
edgex-proxy        | INFO: 2018/09/01 02:44:11 Trying to upload cert to proxy server.
edgex-proxy        | ERROR: 2018/09/01 02:44:11 Failed to add certificate with errorcode 400.
edgex-proxy        | INFO: 2018/09/01 02:44:11 Finishing initialization for reverse proxy


kong:

kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 159 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/exportclient/plugins/ HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 2018/09/01 02:44:11 [notice] 52#0: *3534 [lua] init.lua:391: insert(): ERROR: duplicate key value violates unique constraint "services_name_key"
kong               | Key (name)=(virtualdevice) already exists., client: 172.29.0.9, server: kong_admin, request: "POST /services/ HTTP/1.1", host: "kong:8001"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 161 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/virtualdevice/plugins/ HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 2018/09/01 02:44:11 [notice] 52#0: *3536 [lua] init.lua:391: insert(): ERROR: duplicate key value violates unique constraint "services_name_key"
kong               | Key (name)=(coredata) already exists., client: 172.29.0.9, server: kong_admin, request: "POST /services/ HTTP/1.1", host: "kong:8001"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 151 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/coredata/plugins/ HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/metadata/routes/ HTTP/1.1" 201 306 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/exportclient/routes/ HTTP/1.1" 201 310 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/virtualdevice/routes/ HTTP/1.1" 201 311 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/coredata/routes/ HTTP/1.1" 201 306 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/exportdistro/routes/ HTTP/1.1" 201 310 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/rulesengine/routes/ HTTP/1.1" 201 309 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/command/routes/ HTTP/1.1" 201 305 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/notifications/routes/ HTTP/1.1" 201 311 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/supportlogging/routes/ HTTP/1.1" 201 312 "-" "Go-http-client/1.1"
kong               | 2018/09/01 02:44:11 [notice] 52#0: *3547 [lua] init.lua:391: insert(): ERROR: duplicate key value violates unique constraint "services_name_key"
kong               | Key (name)=(admin) already exists., client: 172.29.0.9, server: kong_admin, request: "POST /services/ HTTP/1.1", host: "kong:8001"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/ HTTP/1.1" 409 145 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/admin/routes HTTP/1.1" 201 298 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /services/admin/plugins HTTP/1.1" 409 54 "-" "Go-http-client/1.1"
kong               | 172.29.0.9 - - [01/Sep/2018:02:44:11 +0000] "POST /certificates/ HTTP/1.1" 400 37 "-" "Go-http-client/1.1"


15599633@...


kong error

qq
 

zzh@ubuntu:~$ docker-compose -f docker-compose-california-0.6.0.yml logs kong
kong               | prefix directory /usr/local/kong not found, trying to create it
kong               | 2018/08/29 00:38:44 [notice] 1#0: using the "epoll" event method
kong               | 2018/08/29 00:38:44 [notice] 1#0: openresty/1.13.6.1
kong               | 2018/08/29 00:38:44 [notice] 1#0: built by gcc 6.3.0 (Alpine 6.3.0)
kong               | 2018/08/29 00:38:44 [notice] 1#0: OS: Linux 4.4.0-133-generic
kong               | 2018/08/29 00:38:44 [notice] 1#0: getrlimit(RLIMIT_NOFILE): 1048576:1048576
kong               | 2018/08/29 00:38:44 [notice] 1#0: start worker processes
kong               | 2018/08/29 00:38:44 [notice] 1#0: start worker process 46
kong               | 2018/08/29 00:38:44 [notice] 1#0: start worker process 47
kong               | 2018/08/29 00:38:49 [crit] 47#0: *6 [lua] balancer.lua:685: init(): failed loading initial list of upstreams: failed to get from node cache: could not aquire callback lock: timeout, context: ngx.timer
kong               | 172.20.0.8 - - [29/Aug/2018:00:39:21 +0000] "GET / HTTP/1.1" 200 5039 "-" "Go-http-client/1.1"
kong               | 172.20.0.8 - - [29/Aug/2018:00:39:21 +0000] "POST /services/ HTTP/1.1" 201 284 "-" "Go-http-client/1.1"
kong               | 172.20.0.8 - - [29/Aug/2018:00:39:21 +0000] "POST /services/rulesengine/plugins/ HTTP/1.1" 201 307 "-" "Go-http-client/1.1"
kong               | 172.20.0.8 - - [29/Aug/2018:00:39:21 +0000] "POST /services/ HTTP/1.1" 201 288 "-" "Go-http-client/1.1"


Re: Blog: Security Services in California release

Maemalynn Meanor <maemalynn@...>
 

Thank you, Michael and Tingyu! Unless this group has any objections or addition changes, I’ll prep this to go live tomorrow. 


Thanks,
Mae

Maemalynn Meanor
PR Manager 
The Linux Foundation
Maemalynn@...
(602) 541-0356
Skype: Maemalynn





On Aug 10, 2018, at 1:29 PM, Zeng, Tingyu <Tingyu.Zeng@...> wrote:

I am updating the document for some minor changes.

Thanks,
Tingyu

-----Original Message-----
From: EdgeX-TSC-Security@... [mailto:EdgeX-TSC-Security@...] On Behalf Of Michael Hall
Sent: Friday, August 10, 2018 3:44 PM
To: Maemalynn Meanor; edgex-tsc-security@...
Cc: Brett Preston
Subject: [Edgex-tsc-security] Blog: Security Services in California release

Hi Mae,

Here's a link to a draft for my next blog entry, about the security services introduced in the California release. It doesn't go into a lot of technical detail, but gives an overview of what the benefit of those services are and the role they play in the overall architecture of EdgeX Foundry.

https://docs.google.com/document/d/1yghKb3NkinqSVyUYDTNVujmVYB_6z5q_TSj6IKBXqQQ/edit?usp=sharing

I've also copied the Security WG mailing list on this. David, Tingu, Alain this is based off the information I got from your presentation to the TSC last month. Can you also review the text and let me know if I got anything wrong, or anything that you would like to be added? The purpose of the blog post is to spread awareness that we have these security services now, and then if people are interested in more details we can direct from there.

Thank you all!

--
Michael Hall
Contractor, The Linux Foundation