Authentication towards HawkBit
chris....@gmail.com
HawkBit supports authentication of targets:
https://eclipse.org/hawkbit/documentation/security/security.html
We are using swupdate with HawkBit and I could not find any documentation about authenticating swupdate in HawkBit. Is there such a (undocumented) feature or does swupdate not support it at all but rather require a secure and authenticated connection to HawkBit.
Stefano Babic
On 20/07/2017 10:22, chris....@gmail.com wrote:
> Hi everyone
>
> HawkBit supports authentication of targets:
>
> https://eclipse.org/hawkbit/documentation/security/security.html
>
> We are using swupdate with HawkBit and I could not find any documentation about authenticating swupdate in HawkBit. Is there such a (undocumented) feature or does swupdate not support it at
implements the full API as specified here:
https://docs.bosch-iot-rollouts.com/documentation/rest-api/rootcontroller-api-guide.html
> all but rather require a secure and authenticated connection to
> HawkBit.
configuration file to use it to connect to the Hawkbit server.
Best regards,
Stefano Babic
--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================
Diego Rondini
On giovedì 20 luglio 2017 10:35:39 CEST Stefano Babic wrote:
> Hi Chris,
>
> On 20/07/2017 10:22, chris....@gmail.com wrote:
> > Hi everyone
> >
> > HawkBit supports authentication of targets:
> >
> > https://eclipse.org/hawkbit/documentation/security/security.html
> >
> > We are using swupdate with HawkBit and I could not find any documentation
> > about authenticating swupdate in HawkBit. Is there such a (undocumented)
> > feature or does swupdate not support it at
> SWUpdate does not support use of token - maybe in future. SWUpdate
> implements the full API as specified here:
>
aside from the work of specifying the value of the token via command line
argument or configuration file, it should be just a matter of adding the
"Authorization" header with proper parameter to the HTTP request. As SWUpdate
uses libcurl it should be very easy to do, this is an example of tweaking the
header of a request:
https://curl.haxx.se/libcurl/c/httpcustomheader.html
Mind you of course that tokens can be eavesdropped if you are using plain HTTP
and not HTTPS.
Bests,
Diego Rondini
Sr. Embedded Engineer
Kynetics
www.kynetics.com
chris....@gmail.com
If I'm not wrong, the certificate approach only secures the connection between swupdate and Hawkbit from eavesdropping. What I'm looking for is the following: our HawkBit server is currently publicly reachable over the internet. This means that anyone running swupdate can contact it and pretend to be a target of our system. Using the authentication and authorization would lock these devices out. As far as I understand this is not possible with swupdate at the moment and people overcome this by putting both targets running swupdate and the corresponding HawkBit server into the same network which is isolated from public networks?
Stefano Babic
Hawkbit's people), Hawkbit allows in the System Configuration "Allow
targets to authenticate via a certificate authenticated by an reverse
proxy". This requires to install certificates on the device, of course.
I know about some other environment where the Management Interface in
Hawkbit is used together to the configData sent to the server. When
sends the first request, it sends some data via PUT and this data are
evaluated by an external program that use the Management Interface to
accept or drop the target from database. Anyway, these are custom
extensions not freely available (an I am not sure if it works exactly as
I described).