Cegal Hub has a robust security model to fit whatever deployment scenario is targeted.
Identity management is central to Cegal Hub for scenarios other than running in local mode.
When running against a remote Cegal Hub Server the default behavior is to have “connector” applications and “client” applications to communicate of behalf of a user. This ensures end-to-end security so that by default only the owner of the “connector” application can make requests of the connector.
This is achieved with use of Cegal Keystone. For more information please see CegalKeystone
Within the local machine#
When Cegal Hub runs in local mode on the local machine the requirement for TLS is relaxed. In this scenario everything is local to user.
When Cegal Hub is deployed in a hybrid mode with a Hub Server deployed on the local network or public cloud it is recommended to secure Cegal Hub Server with TLS.
If Cegal Hub Server is deployed directly on the edge then the server supports flags for the paths to key and cert files.
If deployed behind a proxy such as Caddy, then TLS termination can be done at the reverse proxy. Caddy Server supports automatic fetching of TLS certificates.
Hosted Hub Server offerings from Cegal are TLS secured by default.
When running a Hub Server that is publicly accessible over the internet it is important to secure connections to the server with TLS.
There are different methods available to obtain certificates such as
Certificate vendors which offer paid certificates
Free certificates from certificate authorities such as Lets encrypt
Self-signed certificates using OpenSSL
Cegal Hub Server supports using TLS certificates directly or TLS termination can be done at a reverse proxy server.
If the machine running Cegal Hub Server has a public IP address and you own a domain then it is possible to make use of projects such as Caddy Server to obtain automatic TLS certificates.
See Hub Server on Linux for an example of running Cegal Hub Server behind Caddy.