Securing the Gateway

Edit online

The faspio Gateway uses Transport Layer Security (TLS) to secure your TCP connections and initiate key exchange for the FASP protocol.

Important: TLS is enabled by default on all your bridges. You must provide valid certificates to your Gateways before they can connect.

Configuring TLS

When two Gateways connect to each other, they use Mutual TLS (mTLS) authentication to verify that the traffic is secure and trusted in both directions. mTLS requires a certificate chain, a certificate key, and a verification key on both servers. The following sample is a configuration of two servers that are configured with mTLS:

GW1 Configuration (Client) GW2 Configuration (Server) 
     [[bridge]]
        [bridge.local]
           protocol = "tcp"
               host = "127.0.0.1"
               port = "2000-2001"
        tls_enabled = true
         cert_chain = "tls/gw1_cert_chain.pem"
           cert_key = "tls/gw1_cert_key.pem"
             verify = "tls/verify.pem"

         [bridge.forward]
           protocol = "fasp"
               host = "Gateway2"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw1_cert_chain.pem"
           cert_key = "tls/gw1_cert_key.pem"
             verify = "tls/verify.pem"
host_verify_enabled = true
 
     [[bridge]]
        [bridge.local]
           protocol = "fasp"
               host = "127.0.0.1"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw2_cert_chain.pem"
           cert_key = "tls/gw2_cert_key.pem"
             verify = "tls/verify.pem"

         [bridge.forward]
            protocol = "tcp"
                host = "127.0.0.1"
                port = "4000-4001"
        tls_enabled = true
         cert_chain = "tls/gw2_cert_chain.pem"
           cert_key = "tls/gw2_cert_key.pem"
             verify = "tls/verify.pem"
cert_chain
The relative path to the certificate chain signed by a valid CA.
cert_key
The relative path to the private key that matches the cert chain.
verify
The relative path to the verification key that verifies the other server's chain is signed by the correct CA.
host_verify_enabled
Optionally enforce extra security by requiring that the host field defined in the client's bridge.forward section matches the Common Name in the server's SSL certificate.

Disabling TLS

To disable TLS, add tls_enabled = false to the section for which connection you want to disable TLS. For example, if your faspio Gateway servers and HSTS servers that are run in the same private and secure network, you might consider disabling TLS for those sections only:

GW1 Configuration (Client) GW2 Configuration (Server) 
     [[bridge]]
        [bridge.local]
           protocol = "tcp"
               host = "127.0.0.1"
               port = "2000-2001"
         tls_enabled = false

         [bridge.forward]
           protocol = "fasp"
               host = "Gateway2"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw1_cert_chain.pem"
           cert_key = "tls/gw1_cert_key.pem"
             verify = "tls/verify.pem"
host_verify_enabled = true
 
     [[bridge]]
        [bridge.local]
           protocol = "fasp"
               host = "127.0.0.1"
               port = "3000-3001"
        tls_enabled = true
         cert_chain = "tls/gw2_cert_chain.pem"
           cert_key = "tls/gw2_cert_key.pem"
             verify = "tls/verify.pem"

         [bridge.forward]
            protocol = "tcp"
                host = "127.0.0.1"
                port = "4000-4001"
         tls_enabled = false

Enabling FIPS

In faspio Gateway, FIPS (Federal Information Processing Standards) is disabled by default. To enable FIPS, set the fips_enabled flag to true in the /etc/faspio-gateway/gateway.toml file. Additionally, you can specify a custom path to the OpenSSL configuration file using the openssl_config option in the [general] section.

# /etc/faspio-gateway/gateway.toml
[general]
    fips_enabled    = true
    openssl_config  = "/tmp/openssl.cnf"
Using the default path
  1. Set the fips_enabled flag to true in the gateway.toml file:
    # /etc/faspio-gateway/gateway.toml
[general]
    fips_enabled  = true
  2. Start the gateway.
Using a custom path and custom configuration
  1. Set the fips_enabled flag to true in the gateway.toml file:
    # /etc/faspio-gateway/gateway.toml
[general]
    fips_enabled  = true
  2. Place your custom openssl.cnf file in a location that is accessible to the system user. For example /tmp/openssl.cnf. Include the path in the gateway.toml file:
    $ cat /etc/faspio-gateway/gateway.toml
[general]
       ...
       fips_enabled   = true
    openssl_config  = "/tmp/openssl.cnf"
  3. Move the fipsmodule.cnf file from its default installation location /etc/faspio-gateway/fipsmodule.cnf to a new location that is accessible to the system user. For example /tmp/fipsmodule.cnf. Add the full path to the openssl.cnf file:
    $ grep "^\.include" /tmp/openssl.cnf
.include /tmp/fipsmodule.cnf
  4. Start the gateway.