Modern applications exploit commonly used protocols and standards: thoroughly knowing them means if necessary being able to write the missing code to integrate applications to have everything playing nice together.

Besides being able to code scripts or to develop applications, this requires a having a good understanding of at least:

  • HTTP protocol – knowing status code is enough most of the times, but when troubleshooting having a better understanding can really help a lot
  • REST API design principles – the very most of the API are REST based. This of course requires to be skilled in managing JSON formatted documents
  • SOAP API design principles – although much rare, it may happen to the to deal with SOAP API. This of course requires to be skilled in managing XML formatted documents
  • Commonly used authentication and authorisation frameworks, such as SAML, OpenID, OAuth 2.0 and so

Beside this, professionals should be familiar with the usage of tools such as curl to connect to the API endpoints and issue commands.

Since nowadays TLS is broadly used to secure communications, professionals should also be skilled on TLS, X.509 certificates and PKI.

Take in account that professionals with these skills are quite rare (recruiters know this very well) but are among the most valuable ones, since they can make the glue between the “pure” system administration/engineering and the development.

While running a Public Key Infrastructure (PKI), the maintenance workload due to enrolling new certificates and renewing the existing ones can quickly become overwhelming. Dealing it manually is not only cumbersome: it is frustrating too. Luckily there are ways to automate the enrollment process by providing online Registration Authority endpoints.

Cloudflare's PKI and TLS Toolkit provides both an online Registration Authority as well the client software that can be used to automatically enroll new or renew existing certificates. The aim of the "Cloudflare's certmgr tutorial - a certmgr howto" blog post is ti show how quick and easy is setting up certmgr, the certificate monitoring and automatic enrolling facility provided by Cloudflare.

The operating environment used in this post is Red Hat Enterprise Linux 9 or Rocky Linux 9 - using a different environment may lead to having to adapt or even change things.

Read more >

OpenSSL is a full featured tool capable not only to generate keys and certificates, but also to provide every facility a PKI must have, such as indirect CRL and OCSP responders: these features, along with certificate's best practices such as the Certification Practice Statement (CPS), publishing CRL Distribution Points URL, OCSP Responders URL, CA Issuers URL, are the topics of the OpenSSL CA tutorial - A full-featured openssl PKI. 

Read more >

JWT provides a convenient and standard way to securely transport claims from an issuer to its audience over HTTP. It can be used for authentication and authorization purposes, as well as non repudiable information exchange. It's easiness of setup along with the pros of being transportable over a simple and plain-text protocol such as HTTP and of being stateless (session data can simply be put inside the claims) made it be broadly adopted by developers, whenever it does not worth to implement more cumbersome frameworks such as OpenID or OAuth. In this post we explore JWT and its related standards JWS and JWE.

Read more >