The Kaleido Blockchain Application Firewall (BAF) provides rich options for authentication and authorization of application connections to your blockchain resources. The service easily integrates with your existing OpenID provider and allows for low-level blockchain permissions to be embedded in user authentication tokens. BAF provides organizational admins with a single source of truth for end-user role based access control, and allows operators to easily add or rescind permissions within their existing user directories. Additionally, by supporting an OAuth-based authentication flow, the critical application credentials providing secure access to the Kaleido resource endpoints are never exposed.
Provides an API surface for the Ethereum JSON-RPC requests. Supports the implementation-specific management APIs of go-ethereum, Quorum and Pantheon.
On a per API endpoint basis, or per namespace basis, turn the API on or off so that JSON-RPC requests will be accepted to rejected according to the rules.
In an enterprise context, these APIs are typically considered privileged and should be reserved for special users in the administrative roles.
The Blockchain Application Firewall can have a range of potential uses for your organization including:
The Blockchain Application Firewall can be configured to trust your IAM server, whether it's a private instance of KeyCloak, Otka, Microsoft Azure Active Directory, or any other system that issues tokens as signed JSON Web Tokens (JWT). This allows users to enjoy a standard sign-in procedure to blockchain applications such as the familiar username and password, multi-factor authentication, etc.
In your organization you may find you have keys for different teams within an organization, or for different types of operation, or maybe thousands of keys allocated to individual users of your application. This is why it’s important to restrict access to signing with these keys only to authorized connections, which the Blockchain Application Firewall allows your organization to do. The firewall analyzes each JSON/RPC request as it passes through, checking for attempts to sign transactions and authorizing them against a rule-set that specifies which keys are allowed to be used by that connection. This capability works in tandem with your application level security. You can configure static rules to configure access to keys, or dynamic rules based on issuing JWT tokens in your application tier or IAM system to restrict signing access.
In applications where users have their identity or key which signs transactions from their web or mobile device, they need to be able to submit pre-signed transactions to the blockchain node. The JSON/RPC interface of the node will end up needing to be exposed to the application for sending the transactions, which is where the Blockchain Application Firewall comes into play. The firewall provides an additional layer of security for these connections, on top of the default boundary security built into the Kaleido platform.
