Trust and Identify certificates

You must install third-party trust certificates and identity certificates for clusters. Use different certificates for SIP and HTTP for traffic and the management interface of the Avaya Breeze® platform node.

Host-based HTTP security

You can optionally provision a list of trusted hosts that are authorized to invoke HTTP snap-ins by using one of the following mechanisms:

• IP address: If the source IP address of an incoming HTTP request matches the trusted host list, the connection is accepted. If not, the connection is denied.

• Certificate-based: The HTTP firewall or front-end proxy challenges a client certificate and validates the certificate against its trusted CAs.

If neither of these mechanisms is enabled, the HTTP firewall or front-end proxy accepts incoming connections from any host.

OAuth 2.0 HTTP security

Snap-ins can opt in to the OAuth 2.0 security model provided by Authorization Service. If a snap-in has opted in, the HTTP whitelist and certificate challenge are bypassed. The incoming request must have a valid authorization token in the Auth header.

Avaya Breeze® platform OAuth 2.0 supports the following:

• End user authentication and authorization

• Application-based authentication and authorization

Snap-ins can also enable both models to be used concurrently. This is accomplished by marking HTTP requests if they successfully passed the whitelist or certificate challenge. Snap-ins can then look for either the presence of this proprietary parameter or a valid authorization token.

Role Based Access Control

Avaya Breeze® platform supports Role Based Access Control (RBAC) for System Manager functions, which includes:

• Providing read and write access to all Avaya Breeze® platform servers.

• Managing access to each Avaya Breeze® platform web page.

• Loading, installing, uninstalling, and deleting a snap-in.