Authentication
Okta OAuth 2.0 with PKCE, JWT tokens, and automatic refresh for License Server Detail.
Security Overview
This document provides an overview of security considerations for deploying and operating License Monitor and License Server Detail in production environments.
Security Model
Section titled “Security Model”The License Management stack implements defense in depth with multiple layers of security:
┌─────────────────────────────────────────────────────────────────────┐│ Security Layers │├─────────────────────────────────────────────────────────────────────┤│ ││ ┌───────────────────────────────────────────────────────────────┐ ││ │ Network Security │ ││ │ • Firewalls • Network segmentation • TLS encryption │ ││ └───────────────────────────────────────────────────────────────┘ ││ ││ ┌───────────────────────────────────────────────────────────────┐ ││ │ Application Security │ ││ │ • Authentication • Authorization • Input validation │ ││ └───────────────────────────────────────────────────────────────┘ ││ ││ ┌───────────────────────────────────────────────────────────────┐ ││ │ API Security │ ││ │ • API keys • Rate limiting • CORS • Request validation │ ││ └───────────────────────────────────────────────────────────────┘ ││ ││ ┌───────────────────────────────────────────────────────────────┐ ││ │ Data Security │ ││ │ • Encryption at rest • Encrypted transport • Log redaction │ ││ └───────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────┘Security Features
Section titled “Security Features”API Security
API key authentication, rate limiting, and CORS protection for License Monitor.
Encryption
TLS 1.2/1.3 for transport, AES-GCM for client-side token storage.
Audit Logging
Comprehensive logging with sensitive data redaction.
Component Security Summary
Section titled “Component Security Summary”License Monitor
Section titled “License Monitor”| Security Feature | Default | Configurable |
|---|---|---|
| API Key Authentication | Disabled | Yes |
| Rate Limiting | 60 req/min | Yes |
| CORS | Disabled | Yes |
| TLS | Disabled (use reverse proxy) | Via proxy |
| Bind Address | localhost (127.0.0.1) | Yes |
| Public Bind | Blocked | Requires explicit flag |
License Server Detail
Section titled “License Server Detail”| Security Feature | Default | Configurable |
|---|---|---|
| OAuth Authentication | Required (Okta) | Yes |
| Session Management | JWT with refresh | Yes |
| CSRF Protection | Enabled | - |
| XSS Protection | Enabled | - |
| Token Encryption | AES-GCM | - |
| HTTPS | Required in production | - |
Security Zones
Section titled “Security Zones”Recommended Network Architecture
Section titled “Recommended Network Architecture”┌─────────────────────────────────────────────────────────────────┐│ Internet │└────────────────────────────┬────────────────────────────────────┘ │ ┌────────┴────────┐ │ Firewall │ │ (Port 443 only)│ └────────┬────────┘ │┌────────────────────────────┴────────────────────────────────────┐│ DMZ ││ ┌─────────────────────────────────────────────────────────────┐││ │ Reverse Proxy (nginx) │││ │ - SSL termination │││ │ - Rate limiting │││ │ - WAF rules │││ └────────────────────────────┬────────────────────────────────┘│└────────────────────────────────┼────────────────────────────────┘ │ ┌────────────┴────────────┐ │ Internal Firewall │ └────────────┬────────────┘ │┌────────────────────────────────┴────────────────────────────────┐│ Application Zone ││ ┌──────────────────────┐ ┌──────────────────────┐ ││ │ License Server │ │ License │ ││ │ Detail (3000) │ ←→ │ Monitor (8080) │ ││ └──────────────────────┘ └──────────┬───────────┘ │└─────────────────────────────────────────┼───────────────────────┘ │ ┌─────────────────────┴─────────────────────┐ │ Internal Firewall │ └─────────────────────┬─────────────────────┘ │┌─────────────────────────────────────────┴───────────────────────┐│ License Server Zone ││ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ││ │ FlexLM │ │ RLM │ │ sesinetd │ ││ │ Server │ │ Server │ │ Server │ ││ └──────────────┘ └──────────────┘ └──────────────┘ │└─────────────────────────────────────────────────────────────────┘Security Checklist
Section titled “Security Checklist”Pre-Deployment
Section titled “Pre-Deployment”- Generate strong, unique API keys and secrets
- Configure Okta application with correct redirect URIs
- Set up SSL/TLS certificates
- Review firewall rules
- Configure log aggregation
- Disable development auth bypass
- Review CORS configuration
Configuration
Section titled “Configuration”- Bind License Monitor to localhost unless behind proxy
- Enable rate limiting
- Configure CORS for specific origins only
- Set appropriate log levels
- Configure session timeouts
- Enable HTTPS only in production
Operational
Section titled “Operational”- Rotate API keys periodically
- Monitor authentication failures
- Review audit logs regularly
- Keep software updated
- Back up configurations securely
- Test disaster recovery procedures
Common Security Risks
Section titled “Common Security Risks”Risk Matrix
Section titled “Risk Matrix”| Risk | Impact | Likelihood | Mitigation |
|---|---|---|---|
| API Key Exposure | High | Medium | Use secrets manager, rotate keys |
| Unauthorized Access | High | Low | Strong authentication, MFA |
| Data Interception | Medium | Medium | TLS everywhere |
| DoS Attack | Medium | Medium | Rate limiting, WAF |
| Command Injection | High | Low | Input validation, whitelist |
| Session Hijacking | High | Low | Secure cookies, short TTL |
Mitigation Strategies
Section titled “Mitigation Strategies”-
API Key Exposure
- Store keys in secrets manager
- Rotate keys regularly
- Use environment variables, never commit keys
-
Unauthorized Access
- Implement MFA via Okta
- Use role-based access control
- Monitor and alert on failed authentications
-
Data Interception
- Use TLS 1.2+ everywhere
- Implement certificate pinning for mobile clients
- Encrypt sensitive data at rest
-
Denial of Service
- Configure rate limiting
- Use CDN/WAF for public endpoints
- Implement circuit breakers
Secure Defaults
Section titled “Secure Defaults”License Monitor ships with secure defaults:
# Default secure configuration[api]enabled = truebind_address = "127.0.0.1" # Localhost only by defaultbind_port = 8080allow_public_bind = false # Requires explicit overriderate_limit_requests = 60rate_limit_window_seconds = 60cors_origins = [] # No CORS by defaultCompliance Considerations
Section titled “Compliance Considerations”Logging and Audit
Section titled “Logging and Audit”Both applications implement:
- Structured logging with timestamps
- Request correlation IDs
- Sensitive data redaction
- Configurable log levels
- Log retention policies
Data Protection
Section titled “Data Protection”- No PII stored by default
- License usage data aggregated
- User session data encrypted
- Configurable data retention
Next Steps
Section titled “Next Steps”- API Authentication - API key configuration
- Network Security - Firewall and network setup
- CORS Configuration - Cross-origin settings
- Rate Limiting - Request throttling
- Secrets Management - Managing sensitive data