Cegal Hub has a robust security model to fit whatever deployment scenario is targeted.

Identity management#

Identity management is central to Cegal Hub for scenarios other than running in local mode.

When running against a remote Cegal Hub Server the default behavior is to have “connector” applications and “client” applications to communicate of behalf of a user. This ensures end-to-end security so that by default only the owner of the “connector” application can make requests of the connector.

This is achieved with use of Cegal Keystone. For more information please see CegalKeystone

Within the local machine#

When Cegal Hub runs in local mode on the local machine the requirement for TLS is relaxed. In this scenario everything is local to user.

Remote scenarios#

When Cegal Hub is deployed in a hybrid mode with a Hub Server deployed on the local network or public cloud it is recommended to secure Cegal Hub Server with TLS.

If Cegal Hub Server is deployed directly on the edge then the server supports flags for the paths to key and cert files.

If deployed behind a proxy such as Caddy, then TLS termination can be done at the reverse proxy. Caddy Server supports automatic fetching of TLS certificates.

Hosted Hub Server offerings from Cegal are TLS secured by default.

TLS certificates#

When running a Hub Server that is publicly accessible over the internet it is important to secure connections to the server with TLS.

There are different methods available to obtain certificates such as

  • Certificate vendors which offer paid certificates

  • Free certificates from certificate authorities such as Lets encrypt

  • Self-signed certificates using OpenSSL

Cegal Hub Server supports using TLS certificates directly or TLS termination can be done at a reverse proxy server.

If the machine running Cegal Hub Server has a public IP address and you own a domain then it is possible to make use of projects such as Caddy Server to obtain automatic TLS certificates.

See Hub Server on Linux for an example of running Cegal Hub Server behind Caddy.