SPIKE: Investigate security for EA <-> RPC-Go authentication

[mechris1]

Need to know if managed devices are Windows only or Windows/Linux. This is with respect to configuring TLS certificated signed by CA

• Windows
• Linux

For Linux, we can leverage the self-signed cert flow

EA can currently be deployed on Windows only and support Microsoft CA only.

• WebSocket API or HTTP API for EA?
  Should EA have a WebSocket API or HTTP API? Does RPS make just 1 call to EA to get a TLS certificate then HTTP API makes sense?

  1. Decided to implement a REST API in the Enterprise Application (EA) to facilitate communication with RPC-GO in an enterprise environment.
  2. Chose REST API over other protocols because there is no continuous data stream expected.
  3. Previously developed a WebSocket for cloud-based deployment, enabling easier access to the RPS with firewalls within enterprise
  4. Maintained an established connection so that RPS can communicate with EA as needed.

• Verify the CSR handling flow for TLS and IEEE 802.1x.
  Will only 1 API be enough for handling both flows?
  An End point "/Configure" will be created at EA

• TLS Session between EA and RPC-Go

• Authentication Mechanism for RPC-Go with EA
  Should we use an API Key, JWT Token, or another method for authentication?
  Determine the preferred authentication mechanism and discuss how to pass this information in RPC-GO for secure authentication.
  A few points were discussed regarding Authentication:

  1. There's a need to establish a dedicated authentication server to verify all endpoints across the entire toolkit.
  2. For the time being, we plan to introduce an additional endpoint named 'authentication' within the Enterprise Application (EA) to handle this task.

• Document findings and review with team
  Discussed with Mike and Ganesh. Updated the meeting notes.