Skip to main content

Authentication

Seer Box Sentinel can send HTTP traffic data and alerts through the Internet to a Seer Box Engine and to safeguard sensitive information in transit and ensure it reaches only the intended destination will leverage HTTPS and X.509 certificate validation to not only encrypts the data but also confirms Seer Box Engine identity, preventing unauthorized access and man-in-the-middle attacks.

Certificate authentication

Sentinel use a Trust On First Use authentication scheme so that when no certificate is configured a connection is made to the instance of Seer Box Engine specified with SBX_ENGINE_HOST and SBX_ENGINE_PORT in the configuration, the exposed certificate is downloaded and trusted in all the subsequent connections, refusing to connect to servers exposing a different certificate.

It's important to verify the first connection is made to the correct host. To facilitate validation when a new certificate is installed its fingerprint will be printed in the Sentinel logs to allow inspection.

When using the Seer Box GUI reverse proxy for Seer Box Engine API, by default on port 53443 TCP, you can verify the correct certificate was downloaded by Sentinel looking at the seer-box-gui logs on the server where the Seer Box GUI is running:

journalctl -u seer-box-gui | grep Fingerprint

Or the container logs:

docker logs seer_box_gui | grep Fingerprint

Otherwise check your reverse proxy certificate configuration if you are not using the one provided by Seer Box GUI.

To configure a different certificate you can delete the old certificate removing the container volume in which is stored:

podman volume rm sentinel_certs

You can also force a certificate mounting its PEM file directly, for example:

podman run \
    --rm \
    --env-file .env \
    --network host \
    --volume ./your-certificate.crt:/opt/seer_box/etc/tls/certs/seer-box.crt:Z \
    quay.io/pluribus_one/seer_box_sentinel:latest

Authentication Key

Seer Box Engine will verify that a Sentinel trying to connect is authorized to send data checking the SBX_ENGINE_AUTH_KEY passed together with the HTTP requests.

To allow a Sentinel it's necessary to setup the same SBX_ENGINE_AUTH_KEY value used in the Sentinel configuration as a valid Authentication Key on Seer Box Engine. To do so on the Seer Box GUI navigate to Settings->Traffic Sources->Add Traffic Source, in the form choose Seer Box Sentinel type and insert the SBX_ENGINE_AUTH_KEY value in Authentication Key.