Secure Communication¶

The 3LC Object Service indexes the sample and metric data that should be made available for browsing and potentially editing in the 3LC Dashboard. The Dashboard communicates with the Object Service via HTTP requests. The Object Service and the Dashboard may run on the same machine but often they run on different machines. Please see the Object Service Deployment Guide for details and options.

The primary source of security for communication between the Dashboard and the Object Service in the 3LC Enterprise On-Prem deployment comes from the Object Service running on a machine that is part of the enterprise network without general internet access, which means that it is not exposed to threats from the open internet.

Shared Authentication Secret¶

3LC provides a further mechanism to ensure that the Object Service only handles requests from trusted Dashboard instances. This is done by providing an authentication secret to both the Object Service and the Dashboard Service when starting them.

Part of the authentication check done in the Object Service is a comparison of the timestamp for the request, set based on the time of the machine running the Dashboard, against the current time of the machine running the Object Service. The difference is allowed to be up to five minutes, allowing for some delay in the time it takes a request from the Dashboard to reach the Object Service, but with a limit to protect against potential replay attacks.

There can be issues with this check if there is significant skew (i.e. approaching or exceeding five minutes) between the time on the machine running the Dashboard and the machine running the Object Service. We recommend both machines be set to control time based on NTP so they automatically stay compatible.

The shared authentication secret should be a strong, random string known only to the Dashboard and Object Service. It can be specified via environment variables or via command-line arguments as illustrated in the sections below.

Using Environment Variables¶

  • On the machine where the Object Service will run:

    export TLC_OBJECT_SERVICE_AUTH_SECRET=<auth_secret>
3lc service

    set TLC_OBJECT_SERVICE_AUTH_SECRET=<auth_secret>
3lc service

  • On the machine where the Dashboard Service will run:

    export TLC_OBJECT_SERVICE_AUTH_SECRET=<auth_secret>
3lc-dashboard

    set TLC_OBJECT_SERVICE_AUTH_SECRET=<auth_secret>
3lc-dashboard

Using Command-Line Arguments¶

  • On the machine where the Object Service will run:

    3lc service --auth-secret <auth_secret>

  • On the machine where the Dashboard Service will run:

    3lc-dashboard --object-service-auth-secret <auth_secret>