Home
MATRIXX Security
Network Security
Network zones are stacked with increasing proximity to the open internet or DMZ. Each zone is traversed by ingress and egress points through an application or server, with appropriate authentication and authorization for connecting system traffic.
SBA Gateway Security
SBA Gateway supports TLS Mutual Authentication.
Retrieve Keys from a Kubernetes Secret
Retrieve TLS certificates from a Kubernetes secret added with a configuration source to the /opt/mtx/conf/keystore directory.

Welcome
MATRIXX Release Notes
MATRIXX Architecture
MATRIXX Installation and Upgrade
MATRIXX Configuration
MATRIXX Security
- About MATRIXX Security
- Introduction to MATRIXX Cloud Native Security
  The information in MATRIXX Security is best-practice information and identifies MATRIXX-specific security considerations and implementations. For container-specific and Kubernetes security information, see the third-party documentation.
- Cloud Native Security
  The information here addresses cloud native security and includes recommendations for securing your cloud native implementation.
- Managing Certificates
  MATRIXX uses certificates signed by a trusted certificate authority, or validated by other means, to establish secure communications with another party with the corresponding private key.
- Enabling Transport Layer Security
  Transport Layer Security (TLS) provides secure internet connections by encrypting data sent between a browser, a website, and the website server to ensure that data is transmitted privately.
- Network Security
  Network zones are stacked with increasing proximity to the open internet or DMZ. Each zone is traversed by ingress and egress points through an application or server, with appropriate authentication and authorization for connecting system traffic.
  - MATRIXX Gateway Proxy
    MATRIXX includes Gateway Proxy that acts as a secure entry point for all network traffic that is not the result of subscriber usage. It sits between external applications and the Traffic Routing Agent (TRA).
  - RS Gateway Security
    RS Gateway uses Spring Security to authenticate clients using login ID and password credentials.
  - Business API Gateway Security
    The Business API Gateway is a development framework that includes the Business API SDK, Rest Services Gateway (RS Gateway), Gateway Proxy, and application tier. It allows custom mobile applications, Web clients, and other custom implementations to integrate with MATRIXX.
  - SBA Gateway Security
    SBA Gateway supports TLS Mutual Authentication.
    - Public Key Infrastructure for TLS/OAuth 2.0
      The following instructions provide examples of how to configure a Public Key Infrastructure (PKI) for use with SBA Gateway network functions.
    - Retrieve Keys from a Kubernetes Secret
      Retrieve TLS certificates from a Kubernetes secret added with a configuration source to the /opt/mtx/conf/keystore directory.
  - TMF Gateway Security
    TMF Gateway supports HTTP authentication through a configurable authorization URL.
  - TRA Security
    This section describes the general security configuration requirements for Traffic Routing Agent (TRA). These security requirements apply when virtual servers are defined and specified as secured.
  - Self-Signed Certificate Detection and Handling
    While self-signed certificates can be used in controlled environments such as internal testing, because they are not verified by a trusted certificate authority (CA) they must not be used in production environments. If the use of a self-signed certificate is intentional, such as for testing purposes, the MDC Gateway and Traffic Routing Agent (TRA) components include ways to override default handling.
  - Network Security Checklist
    The following is a list of best practices for network design and configuration.
- Application Security
  Application security includes configuring web applications and gateways.
- Database Security
  Depending on your MATRIXX environment, you can use multiple external databases.
- OAuth 2.0 Identity and Access Management
  MATRIXX supports third-party identity and access management application integration.
MATRIXX Integration
MATRIXX Diameter Integration
MATRIXX Call Control Framework Integration
MATRIXX TM Forum Integration
MATRIXX 5G Integration
MATRIXX 5G Event Streaming
MATRIXX Event Streaming
MATRIXX Administration
MATRIXX Web App Administration
MATRIXX Monitoring and Logging
MATRIXX Policy
MATRIXX Kafka CDR Consumer
MATRIXX Pricing and Rating
MATRIXX Pay Now
MATRIXX Subscriber Management
MATRIXX Subscriber Management API
MATRIXX Business API SDK
My MATRIXX Help
MATRIXX Backoffice Customer Tool Help
MATRIXX Third-Party Licenses
Glossary

Retrieve Keys from a Kubernetes Secret

Retrieve TLS certificates from a Kubernetes secret added with a configuration source to the /opt/mtx/conf/keystore directory.

Procedure

Enable use of Kubernetes secrets with the following configuration in gateway.yaml:

#Set the security type to cert the default is keyStore
securityType: cert
#Give the name of the secret that will be created in Kubernetes
security:
  certificate:
    secretName: ""

Create the Kubernetes secret with the following kubectl create secret command:
```
kubectl create secret tls name_of_secret \
  --cert=cert.crt \
  --key=cert.key
```
The name of the Kubernetes secret must meet the following requirements:
- Must consist of lower case alphanumeric characters.
- Must contain a hyphen (-) or a period (.).
- Must end with an alphanumeric character.

Add certificates for the Vertx server by creating a certificate and a key file with commands similar to the following:

Warning: Use self-signed certificates for development and integration testing only.

# generate the RSA key, protected without a password:
openssl genpkey -out cert.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048

# generate a self-signed certificate using the cert key
openssl req -nodes -key cert.key -x509 -sha256 -days 3650 -out cert.crt \
 -subj "/C=US/ST=CA/L=SJ/O=Matrixx/OU=Eng/CN=example.com/emailAddress=user@host" \
 -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"

# generate the RSA key, protected without a password:
openssl genpkey -out trustcert.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048

# generate a self-signed certificate using the trust cert key
openssl req -nodes -key trustcert.key -x509 -sha256 -days 3650 -out trustcert.crt \
 -subj "/C=US/ST=CA/L=SJ/O=Matrixx/OU=Eng/CN=example.com/emailAddress=user@host" \
 -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"

Results

The default location for certsPath and keyPath is /opt/mtx/conf/keystore. The following YAML structure defines the certificates and key:

cert:
  certPath: /opt/mtx/conf/keystore/cert.crt
  keyPath: /opt/mtx/conf/keystore/cert.key
trustcert:
  certPath: /opt/mtx/conf/keystore/trustcert.crt
  keyPath: /opt/mtx/conf/keystore/trustcert.key

For information about adding the Kubernetes secret to your MATRIXX deployment, see the discussion about configuration sources in MATRIXX Installation and Upgrade.