Skip to content

Commit

Permalink
GITBOOK-1333: change request with no subject merged in GitBook
Browse files Browse the repository at this point in the history
  • Loading branch information
mrinalwadhwa authored and gitbook-bot committed Feb 12, 2024
1 parent 522310c commit 7ef43db
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 14 deletions.
16 changes: 8 additions & 8 deletions how-does-ockam-work.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ ockam enroll

The first step is to install Ockam Command and enroll. The commands below can be run in a production setup with two machines in two different networks or in a dev environment on a single machine. If you’re doing this on two machines, install and enroll on both machines.

The enroll command creates a new [vault](reference/protocols/keys.md) and generates a cryptographic [<mark style="color:blue;">identity</mark>](reference/protocols/identities.md) with private keys stored in that vault. It then guides you to sign in to Ockam Orchestrator.
The enroll command creates a new [<mark style="color:blue;">vault</mark>](reference/protocols/keys.md) and generates a cryptographic [<mark style="color:blue;">identity</mark>](reference/protocols/identities.md) with private keys stored in that vault. It then guides you to sign in to Ockam Orchestrator.

If this is your first time signing in, the Orchestrator creates a new dedicated project for you. A project offers two services: a membership [<mark style="color:blue;">authority</mark>](reference/protocols/identities.md#credentials) and a [<mark style="color:blue;">relay</mark>](reference/protocols/routing.md#relay) service.

Expand All @@ -68,11 +68,11 @@ When this outlet receives messages from corresponding inlets, it unwraps all [<m

Next, create a relay in your project at address: _postgres_.

This command first creates an outgoing tcp connection from inside Bank Corp. to your project. It then creates a [secure channel](reference/protocols/secure-channels.md) to your project over this tcp connection. This succeeds because Bank Corp’s network allows outgoing tcp connections to the Internet, and your Orchestrator project’s secure channel listener allows channels with project members.
This command first creates an outgoing tcp connection from inside Bank Corp. to your project. It then creates a [<mark style="color:blue;">secure channel</mark>](reference/protocols/secure-channels.md) to your project over this tcp connection. This succeeds because Bank Corp’s network allows outgoing tcp connections to the Internet, and your Orchestrator project’s secure channel listener allows channels with project members.

Over this secure channel, the command then asks the relay service to create a [<mark style="color:blue;">relay</mark>](reference/protocols/routing.md#relay) at address: _postgres_. The relay is created because the [<mark style="color:blue;">access control</mark>](reference/protocols/access-controls.md) on the relay service allows authenticated project administrators to create relays at any address. When this relay receives messages, it routes them to the outlet node through the previously created secure channel and underlying tcp connection.

The default [access control](reference/protocols/access-controls.md) on the outlet and the relay only allow messages from project members who have authenticated through a secure channel by presenting a [<mark style="color:blue;">credential</mark>](reference/protocols/identities.md#credentials) from the project membership authority that attests their [<mark style="color:blue;">identifier</mark>](reference/protocols/identities.md#identities) is a member of the project.
The default [<mark style="color:blue;">access control</mark>](reference/protocols/access-controls.md) on the outlet and the relay only allow messages from project members who have authenticated through a secure channel by presenting a [<mark style="color:blue;">credential</mark>](reference/protocols/identities.md#credentials) from the project membership authority that attests their [<mark style="color:blue;">identifier</mark>](reference/protocols/identities.md#identities) is a member of the project.

<div data-full-width="true">

Expand All @@ -88,11 +88,11 @@ ockam tcp-inlet create --from 15432 --to postgres

In Analysis Corp.’s Azure VNet, on the machine that has the postgres client, create a tcp portal inlet.

The inlet first creates a tcp listener on localhost port _15432_. It then creates an outgoing tcp connection from inside Analysis Corp. to your project. Next, it creates a [secure channel](reference/protocols/secure-channels.md) to your project over this tcp connection. Finally, it creates an end-to-end secure channel to the outlet node in Bank Corp. through the relay in your project at address: _postgres._
The inlet first creates a tcp listener on localhost port _15432_. It then creates an outgoing tcp connection from inside Analysis Corp. to your project. Next, it creates a [<mark style="color:blue;">secure channel</mark>](reference/protocols/secure-channels.md) to your project over this tcp connection. Finally, it creates an end-to-end secure channel to the outlet node in Bank Corp. through the relay in your project at address: _postgres._

Over this end-to-end secure channel the inlet creates a **portal** with the outlet.

All secure channels are mutually authenticated and all messages are checked for authorization. The default [access control](reference/protocols/access-controls.md) on the inlet only allows messages from project members who have authenticated through a secure channel by presenting a [<mark style="color:blue;">credential</mark>](reference/protocols/identities.md#credentials) from the project membership authority that attests their [<mark style="color:blue;">identifier</mark>](reference/protocols/identities.md#identities) is a member of the project.
All secure channels are mutually authenticated and all messages are checked for authorization. The default [<mark style="color:blue;">access control</mark>](reference/protocols/access-controls.md) on the inlet only allows messages from project members who have authenticated through a secure channel by presenting a [<mark style="color:blue;">credential</mark>](reference/protocols/identities.md#credentials) from the project membership authority that attests their [<mark style="color:blue;">identifier</mark>](reference/protocols/identities.md#identities) is a member of the project.

<div data-full-width="true">

Expand All @@ -108,9 +108,9 @@ psql --host localhost --port 15432

In Analysis Corp.’s Azure VNet, connect with the **virtually adjacent** postgres on _localhost:15432_.

When a tcp connection is created with this inlet at _localhost:15432,_ it wraps tcp segments in [routing](reference/protocols/routing.md) messages and sends them through the portal. Messages are encrypted inside Analysis Corp. and decrypted only when they are inside Bank Corp. The outlet in Bank Corp. unwraps routing information and sends raw tcp segments to the tcp server.
When a tcp connection is created with this inlet at _localhost:15432,_ it wraps tcp segments in [<mark style="color:blue;">routing</mark>](reference/protocols/routing.md) messages and sends them through the portal. Messages are encrypted inside Analysis Corp. and decrypted only when they are inside Bank Corp. The outlet in Bank Corp. unwraps routing information and sends raw tcp segments to the tcp server.

The outlet sends response segments from the tcp server back through the portal. Response messages are encrypted inside Bank Corp. and decrypted only when they are inside Analysis Corp. The inlet unwraps all [routing](reference/protocols/routing.md) information and sends raw tcp response segments to the tcp client.
The outlet sends response segments from the tcp server back through the portal. Response messages are encrypted inside Bank Corp. and decrypted only when they are inside Analysis Corp. The inlet unwraps all [<mark style="color:blue;">routing</mark>](reference/protocols/routing.md) information and sends raw tcp response segments to the tcp client.

<div data-full-width="true">

Expand All @@ -126,7 +126,7 @@ We ran a few simple commands to securely connect with a micro-service in another

In this example, we used a postgres server and client. However, the same commands work for any tcp server and client, such as an http server serving an api built with express or django. We have to adjust some port numbers, but other than that, the tcp server and client remain unchanged. Ockam runs as a companion next to the server and its clients.

Sensitive business data in the postgres database is only accessible to Bank Corp. and Analysis Corp. All data is [encrypted](reference/protocols/secure-channels.md) with strong forward secrecy as it moves through the Internet. The communication channel is [<mark style="color:blue;">mutually authenticated</mark>](reference/protocols/secure-channels.md) and [<mark style="color:blue;">authorized</mark>](reference/protocols/access-controls.md). Keys and credentials are automatically rotated. Access to connect with postgres can be easily revoked.
Sensitive business data in the postgres database is only accessible to Bank Corp. and Analysis Corp. All data is [<mark style="color:blue;">encrypted</mark>](reference/protocols/secure-channels.md) with strong forward secrecy as it moves through the Internet. The communication channel is [<mark style="color:blue;">mutually authenticated</mark>](reference/protocols/secure-channels.md) and [<mark style="color:blue;">authorized</mark>](reference/protocols/access-controls.md). Keys and credentials are automatically rotated. Access to connect with postgres can be easily revoked.

Analysis Corp. does not get unfettered access to Bank Corp.’s network. It gets access only to run queries on the postgres server. Bank Corp. does not get unfettered access to Analysis Corp.’s network. It gets access only to respond to queries over a tcp connection. Bank Corp. cannot initiate connections.

Expand Down
2 changes: 1 addition & 1 deletion portals/databases/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ layout:

# Databases

This section contains hands-on examples that use [Ockam](../../) to create **encrypted portals** to various databases running in various environments.
This section contains hands-on examples that use [<mark style="color:blue;">Ockam</mark>](../../) to create **encrypted portals** to various databases running in various environments.

In each example, we connect a nodejs app in one private network with a database in another private network. To understand how end-to-end trust is established, and how the portal works even though the two networks are isolated with no exposed ports, please read: “[<mark style="color:blue;">How does Ockam work?</mark>](../../how-does-ockam-work.md)

Expand Down
2 changes: 1 addition & 1 deletion portals/databases/postgres/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ layout:

# PostgreSQL

This section contains hands-on examples that use [Ockam](../../../) to create **encrypted portals** to postgres database running in various environments.
This section contains hands-on examples that use [<mark style="color:blue;">Ockam</mark>](../../../) to create **encrypted portals** to postgres database running in various environments.

In each example, we connect a nodejs app in one private network with a postgres database in another private network. To understand how end-to-end trust is established, and how the portal works even though the two networks are isolated with no exposed ports, please read: “[<mark style="color:blue;">How does Ockam work?</mark>](../../../how-does-ockam-work.md)

Expand Down
Loading

0 comments on commit 7ef43db

Please sign in to comment.