Intercomponent Communication

For communication, system:inmation components use an optimized custom protocol on top of a TCP/IP networking stack. The communication channel between two components can be configured to use different combinations of encryption, authentication, and authorization. On the network connection level, secure communication can be ensured by enabling the Transport Layer Security (TLS) protocol (IETF RFC 5246) together with Secure Remote Password (SRP) authentication (IETF RFC 5054) or X.509-certificate-based authentication, respectively denoted TLS-SRP/TLS-X.509 in this document. The available security modes in system:inmation are shown in the table below.

Table 1. Security Modes in system:inmation
Mode Authentication Key Exchange Data Privacy Data Integrity Overall Strength

None

None

n/a

Obfuscation

None

None

Passphrase

Passphrase match

n/a

Obfuscation

None

Weak

TLS-SRP

SRP

SRP

TLS (AES-256)

TLS (SHA-1)

Strong

TLS-X.509

RSA (X.509 Certificates)

ECDHE

TLS (AESGCM-256)

TLS (AEAD)

Strong

None

Uses fast proprietary obfuscation for data privacy and has no authentication.It is adequate only in a fully trusted environment.

Passphrase

Uses fast proprietary data obfuscation and authenticates via a matching passphrase. It is adequate when the privacy and integrity of data is of little concern, but unauthorized access must be prevented.

TLS-SRP

Uses a strong cryptographic protocol (TLS 1.2) and secure remote password authentication.

TLS-X.509

Uses a strong cryptographic protocol (TLS 1.2) and X.509-certificate-based authentication (based on Microsoft Windows AD).

By default, only the TLS communication modes are available on the system. To use 'none' or 'passphrase', this restriction can be lifted by disabling the 'Encrypted Connections Only' option in Communication section of the Root Object configuration.

These security modes can be combined with the following connection modes:

Passive

The remote component listens for incoming connection requests from the Core service.

Active

The remote component actively sends connection requests to the Core service. The Active and Passive components' supported combinations of connection and security modes are shown in the two tables below:

Table 2. Active Component - Connection and Security Modes
Active Connector Server Relay WebAPI DataStudio Local Core

None

Supported[1]

Supported[2]

Supported[1]

Supported[3]

Supported[3]

Supported[1]

Passphrase

Supported[1]

Supported[2]

Supported[1]

Supported[3]

Supported[3]

Supported[1]

TLS-SRP

Supported[1]

Supported[1]

Supported[1]

Supported[3]

Supported[3]

Supported[1]

TLS-X.509

Supported

Not Supported

Supported

Not Supported

Not Supported

Supported

Table 3. Passive Component - Connection and Security Modes
Passive Connector Server Relay WebAPI DataStudio Local Core

None

Supported[1]

Not Applicable

Supported[1]

Not Applicable

Not Applicable

Not Applicable

Passphrase

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

TLS-SRP

Supported[1]

Not Applicable

Supported[1]

Not Applicable

Not Applicable

Not Applicable

TLS-X.509

Supported

Not Applicable

Supported

Not Applicable

Not Applicable

Not Applicable

[1] Uses a fixed role model for authorization.

[2] Uses a fixed role model to authorize server-to-server communications and the Core security model to authorize user-initiated actions.

[3] Uses the Core security model for authorization.