Security workflows

Many security-sensitive operations are performed automatically by SeaCat components. These operations are described in details below.

Onboarding Sequence

New Clients have to complete onboarding procedure prior to accessing Application Backend. It starts when Application with integrated SeaCat SDK launches for the first time (e.g. after Application installation). If Application has no private key generated, SeaCat SDK generates a private and public key (or obtain it from a different source, e.g. SIM card), and Client Certificate Signing Request with hashed Application ID Client Certificate Signing Request extension. Client Certificate Signing Request is sent to SeaCat Gateway. After Client Certificate Signing Request is approved, Client Certificate is taken by SeaCat SDK periodical check. Once Client Certificate is obtained from SeaCat Gateway. Client identity is created. Onboarding sequence is finished, and Client proceeds to standard Client Connection.

Onboarding Sequence flow diagram

Standard Client Connection

Client Certificate is used for authorization and authentication. Both SeaCat SDK and SeaCat Gateway verify each other’s certificate: if SeaCat Gateway Certificate is valid and properly signed by SeaCat Root CA; if Client Certificate is valid and whitelisted in Certificate Authority store. This process is called Mutual Authentication (see Cryptographic Detail chapter for more details). After successful verification, Client Connection is established. The Client Connection is closed after persistence idle time out.

Standard Client Connection flow diagram

Client Certificate Renewal

When Client Certificate is near expiration (30 days by default) or even expired, Client Certificate renewal procedure is automatically initiated by SeaCat SDK. The actual process is the same process with Client onboarding, but Client public and private key remain unchanged. When Client Certificate is not expired, the authorized (standard) Client connection is used. If Client Certificate is expired, anonymous Client Connection is established. Different actions are performed when Client Certificate expires, or Client Certificate renews within the validity period. The actions are dependent on SeaCat CA Tool configuration.

For details about SeaCat CA Tool configuration, go to SeaCat CA Tool Configuration chapter.

Client Certificate Renewal flow diagram

Client Certificate Revocation

If it is necessary to remove access from particular Application instance (e.g. because the endpoint device is lost), Client Certificate has to be revoked. Revocation is done using SeaCat CA Tool.

Flow is the following:

Client Certificate Revocation flow diagram

Application attempt to connect with revoked Client Certificate:

Client Certificate Attempt flow diagram

For details about SeaCat CA Tool usage, go to SeaCat CA Tool reference chapter.

SeaCat Gateway Certificate Change

If it is necessary to change SeaCat Gateway Certificate (e.g. SeaCat Gateway private key steal suspicion), follow this procedure: SeaCat Gateway Certificate Change diagram

First of all, it is necessary to obtain new SeaCat Gateway Certificate by sending new SeaCat Gateway Certificate Signing Request to with CSR request subject (go to Installation chapter for more information). After SeaCat Gateway Client Signing Request is signed, TeskaLabs changes Discover Service records, new SeaCat Gateway name is set, and new SeaCat Gateway Certificate is configured on SeaCat Gateway. Only when both record in Discover Service and Common Name of SeaCat Gateway Certificate match, SeaCat Gateway processes Application requests to a particular Application ID.