Security
DataZen implements security at multiple levels including DataZen Manager, DataSync Agents, and Change Logs. This section provides an overview of various security features available.
DataZen Manager
DataZen Manager does not store sensitive data directly. However, it provides management screens that display and send sensitive data to DataSync Agents. As a result, DataZen Manager offers a few security options to help keep sensitive data secure.
DataZen Manager communicates to an agent using an HTTP API exposed by the agent. Cloud-hosted agents use SSL automatically. Self-hosted agents are configured to listen on port 9559 by default, but the port can be changed. To encrypt self-hosted HTTP communication, you can bind an SSL certificate to port 9559, or change the listening port to 443. Even without SSL encryption, connection strings are transferred encrypted by DataZen. See the Connection Strings section below for more information.
Cloud Agents
Communication to cloud agents is always SSL encrypted. Access cloud agents through its API can be provided depending on your subscription level.
Multitenant Configuration
By default, cloud agents are created in a multitenant configuration. The multitenant design implies that jobs you create will execute alongside other customers' jobs. However, each cloud agent deployed has its dedicated database. This ensures that while the compute engine is shared, the storage of you settings and connection strings is dedicated.
When using cloud agents, you can optionally use a shared storage for your change logs as well. This setting is optional; you can use your personal cloud storage to store your change logs. When using cloud-based agents, it is recommended to encrypt and sign your change logs to ensure maximum privacy.
Self-Hosted Agents
Authentication & Authorization
DataZen Manager requires users to be authenticated on the local machine and as such implements a single sign-on mechanism with the local Windows operating system. However, DataZen Manager does not by itself provide any information or configuration settings that is sensitive in nature, so no additional authentication or authorization is implemented by DataZen Manager, until you register an agent. Accessing a DataSync Agent requires authentication and authorization.
Security Group Access Control
To configure access to a DataSync Agent, after it has been registered, choose Configuration->Agent Settings.
Members of the BUILTIN\Administrators group can always access a DataSync Agent on Windows where both the agent and the manager are running. However, remote administration requires additional configuration.
You can use this screen to add additional security groups. All users in the security groups listed in this screen will be able to fully manage and administer the selected DataSync Agent.
Administrative Access Keys
By default, Administrative Shared Keys are disabled. However, when enabled, you can choose the level of access to the DataSync Agent: Administrative, Agent API, Jobs API, or scope-based. In addition, you can create scope-based service-specific keys and set an expiration date.
Access Levels- None: The admin keys cannot be used for authentication
- Administrative: The admin keys have full access to the DataZen API (equivalent to the all scope)
- Agent API: The admin keys have full access to the DataZen Agent API (equivalent to the agent_all scope)
- Jobs API: The admin keys have full access to the DataZen Jobs API (equivalent to the job_all, connections_all, security_all scopes)
- Scope-Based: The admin keys have access to the endpoints as specified through the selected scopes
These keys can be used to connect to a DataSync Agent using DataZen Manager or through programmatic means, including Postman and Fiddler. See the Agent API 3.0 specification for more information.
Service Access Keys
These keys are best used for programmatic access to the DataZen API and monitoring applications. You can manage these keys on the Service Tokens tab. An expiration date and at least one scope must be selected.
Access Token Scopes
The following is a summary of available endpoints through the DataZen API along with the scopes necessary for access. Some endpoints may support one or more GET, PUT, POST, and DELETE operations. See the DataZen API documentation for more information.
| /ping | all, agent_all, agent.read |
| /licenseinfo | all, agent_all, agent.write |
| /jobpack | all, agent_all, agent.read, agent.write |
| /stagecfg | all, agent_all, agent.write |
| /start | all, agent_all, agent.run |
| /stop | all, agent_all, agent.run |
| /upgrade | all, agent_all, agent.write |
| /status | all, agent_all, agent.read |
| /version | all, agent_all, agent.read |
| /job/output | all, job_all, job.read |
| /job | all, job_all, job.write |
| /job/log | all, job_all, job.read |
| /job/history | all, job_all, job.read |
| /job/dynamic | all, job_all, job.read, job.run |
| /job/dynamic/executions | all, job_all, job.list |
| /job/start | all, job_all, job.run |
| /job/stop | all, job_all, job.run |
| /job/active | all, job_all, job.run |
| /job/settspointer | all, job_all, job.run |
| /job/status | all, job_all, job.read |
| /job/changelogs | all, job_all, job.list |
| /job/changelog | all, job_all, job.data, job.data.read |
| /job/changelog/read | all, job_all, job.data, job.data.read |
| /job/push | all, job_all, job.data, job.data.write |
| /job/lastexecid | all, job_all, job.read, job.run |
| /job/ungroup | all, job_all, job.write |
| /job/group | all, job_all, job.write |
| /jobcollection | all, job_all, job.read, job.write |
| /changelog/read | all, job_all, job.data, job.data.read |
| /changelog/write | all, job_all, job.data, job.data.write |
| /jobs | all, job_all, job.list |
| /jobs/info | all, job_all, job.list |
| /jobs/summary | all, job_all, job.list |
| /directory/exists | all, job_all, job.read |
| /directory/files | all, job_all, job.read |
| /refreshtoken | all, job_all, job.run |
| /component | all, job_all, job.read, job.write |
| /connections | all, connections_all, connections.read, connections.write |
| /connections/db | all, connections_all, connections.write |
| /connections/metadata | all, connections_all, connections.list |
| /connectionsinfo | all, connections_all, connections.read |
| /updatekek | all, security_all, security.write |
| /certificates | all, security_all, security.read, security.write |
X.509 Certificate Signature and Authentication
This tab allows you to configure X.509 Certificates for both signature and/or authentication. See the X.509 Certificates section for more information. Please note that in order to use this feature, certificates must first be registed in DataZen using the Manage Certificates screen.
Connection Strings
Most screens showing connection strings do not actually load secrets on the screen; instead, most screens display the Connection Key of the selected connection string. However, the Connection String management screens do display and save full connection string secrets. Anytime a connection string secret is read, or saved, the connection string is encrypted. This ensures that even if no SSL encryption is enabled on the DataSync Agent HTTP port connection secrets are encrypted on the wire.
Connection strings are encrypted using AES and are stored with a Vector (Salt). They can be accessed using the GET Connections operation if the Shared Access Keys are enabled for the Agent API.
DataSync Agent Configuration
SSL Encryption
Unless specifically configured to listen on a different port, agents listen on HTTP port 9559 on an unencrypted HTTP channel. To secure administrative traffic to your agent, you can install an SSL certificate and bind it to the listening port to enable HTTPS communication.
To bind EnzoDS.exe to port 443 on your local server, change the appSettings section of the settings file (EnzoDS.exe.Config) as follows:
<add key="listenerPort" value="443" /> <add key="listenerUrl" value="https://SERVERNAME" />
This section provides high level information on how to create and configure a self-signed SSL certificate on port 443, for a test environment. For production environments, it is recommended to use a public Certificate Authority to obtain a certificate for your server instead.
-
Create a CA Certificate
makecert -n "CN=datazen" -r -sv datazen.pvk datazen.cer
Once created, add this certificate to your Trusted Root Certification Auhorities store. -
Create an SSL Certificate
Replace YOURSERVERNAME below with you actual server name.
makecert -sk DataZenSSL -iv datazen.pvk -n "CN=YOURSERVERNAME" -ic datazen.cer datazenssl2.cer -sr localmachine -ss My
This command will generate an SSL certificate and add it to the My certificate store. - Find the SSL Cert Thumbprint (MMC Snap-In) Using MMC (Certificate Snap-In) find the SSL certificate you just created in the Personal\Certificate store (My) and copy its Thumbprint in memory.
-
Bind SSL to Port 443 (IPv4 and IPv6)
Replace the certhash value with Thumbprint above
netsh http add sslcert ipport=0.0.0.0:443 certhash=THUMBPRINT appid={0abc7514-3558-4142-b81b-79149673bf57} certstorename=MY usagecheck=disable netsh http add sslcert ipport=[::]:443 certhash=THUMBPRINT appid={0abc7514-3558-4142-b81b-79149673bf57} certstorename=MY usagecheck=disable
Auditing
DataZen stores a detailed log of actions taken on its API in the database. A summary of jobs that have been executed is stored in the jobexecutions table, while the details of each execution are stored in the executionauditlog table. In addition, it is possible to log all activities to disk. Enabling this feature is only recommended during testing for performance reasons. To enable the disk audit log, add an entry in the appSettings section of the EnzoDS.exe.Config file:
<add key="logFile" value="c:\tmp\enzodslog.txt" />