Documentation: Use SSL for all REST Communications

Created on 8 Mar 2017 · 4Comments · Source: Islandora/documentation

We are using JWT tokens to secure our communications between services, but tokens require SSL to make sure no one records the tokens as they go by.

We should make sure that everything is communicating over SSL. Good practice to do anyway.

[ ] STOMP Broker
[ ] Tomcat
[ ] Drupal

Am I missing any services?

The question is what should we use for a certificate for vagrant? Should we just use self signed certificates everywhere? Grab a valid certificate from LetsEncrypt when the vagrant is spinning up. Should probably have some discussion about that in this ticket, might take some investigation.

Vagrant architecture

Source

jonathangreen

👍2

Most helpful comment

So doing a bit of digging, we can't use lets encrypt because we need a domain name we can do verification against or they won't issue certs.

So I think self signed is the way to go. To make it more like a real deployment, we can probably make our our self signed certificate authority, then add that as a root certificate in java, so all the requests will act like they are a real request with a real certificate.

jonathangreen on 9 Mar 2017

👍3

All 4 comments

I'd lean toward LetsEncrypt since it'd be closer to real world as opposed to self-signed.

ruebot on 8 Mar 2017

Depends on how you want to go about it. Self signing might be a bit easier to orchestrate, but LetsEncrcypt would be more like a real deployment. I'm ambivalent.

Does https://github.com/Islandora-Labs/islandora_vagrant or https://github.com/Islandora-Labs/islandora_vagrant_base_box do anything to address this?