JAAS: Security Hardening ======================== JIMM, the service at the centre of JAAS can be hardened in a number of ways. This document details how you can harden the security of your JAAS deployment. .. hint:: As a reference on JAAS security overview, check out :doc:`this <../reference/security>` topic. CORS ---- Cross-Origin Resource Sharing (`CORS `__) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "pre-flight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that pre-flight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request. To set CORS on JIMM, use the configuration option ``cors-allowed-origins``. Ingress TLS ----------- Please refer :doc:`here <./setup_ingress_with_tls>`. Identity Provider ----------------- JAAS uses the Canonical Identity Platform for authentication. The communication between JAAS and the Identity Platform can be secured via TLS. You will require the Identity Platform and the ``self-signed-certificates`` charm deployed. See `here `__ for deploying the identity platform. Your Identity Platform will require TLS enabled via the `self-signed certificates charm `__. Using JIMM's ``receive-ca-cert integration``, you can now relate to the self-signed-certificates charm to enabled TLS between the identity platform and JIMM. OpenFGA ------- JIMM uses OpenFGA for authorisation and currently, the OpenFGA charm does not support TLS. See `here `__. Vault ----- TLS is enabled by default when communicating with the Vault charm. See `here `__. JIMM uses Vault for storing cloud credentials, JWKS, and other secrets. Juju Controllers ---------------- TLS is enabled by default when communicating with controllers. When adding a Juju controller to JIMM, the self-signed certificate of the controller is given to JIMM. .. hint:: Checkout :doc:`this <./add_controller>` topic for adding controllers to JAAS. PostgreSQL ---------- JIMM uses PostgreSQL as its persistent storage layer. The communication with PostgreSQL can be encrypted via TLS. To enable TLS for charmed PostgreSQL you can follow this `guide `__. .. hint:: As of October 2024, you need to manually restart JIMM if you enable TLS on PostgreSQL after having related the JIMM and PostgreSQL charms.