JAAS: Security Hardening¶
JIMM, the service at the centre of JAAS can be hardened in a number of ways. This document details how you can harden the security of your JAAS deployment.
Hint
As a reference on JAAS security overview, check out this topic.
CORS¶
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a “pre-flight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that pre-flight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
To set CORS on JIMM, use the configuration option cors-allowed-origins.
Ingress TLS¶
Please refer here.
Identity Provider¶
JAAS uses the Canonical Identity Platform for authentication. The communication between JAAS and the Identity Platform can be secured via TLS.
You will require the Identity Platform and the self-signed-certificates charm deployed.
See here for deploying the identity platform.
Your Identity Platform will require TLS enabled via the self-signed certificates charm.
Using JIMM’s receive-ca-cert integration, you can now relate to the self-signed-certificates charm
to enabled TLS between the identity platform and JIMM.
OpenFGA¶
JIMM uses OpenFGA for authorisation and currently, the OpenFGA charm does not support TLS. See here.
Vault¶
TLS is enabled by default when communicating with the Vault charm. See here.
JIMM uses Vault for storing cloud credentials, JWKS, and other secrets.
Juju Controllers¶
TLS is enabled by default when communicating with controllers.
When adding a Juju controller to JIMM, the self-signed certificate of the controller is given to JIMM.
Hint
Checkout this topic for adding controllers to JAAS.
PostgreSQL¶
JIMM uses PostgreSQL as its persistent storage layer. The communication with PostgreSQL can be encrypted via TLS. To enable TLS for charmed PostgreSQL you can follow this guide.
Hint
As of October 2024, you need to manually restart JIMM if you enable TLS on PostgreSQL after having related the JIMM and PostgreSQL charms.