====== Security ======

<WRAP round info>
**Target audience:** Security Admins, DevOps \\
**Content:** TLS, Certificates, Access control \\
**Priority:** Critical for production
</WRAP>

Security configuration for production operation of the Data Gateway.

----

===== Workflow =====

<mermaid>
flowchart LR
    subgraph TLS["TLS"]
        T1[Obtain certificate]
        T2[Enable HTTPS]
        T3[Cipher suites]
    end

    subgraph ACCESS["ACCESS"]
        A1[Firewall]
        A2[API Keys]
        A3[IP Whitelist]
    end

    subgraph CERTS["CERTIFICATES"]
        C1[Renewal]
        C2[Monitoring]
    end

    T1 --> T2 --> T3
    T2 --> A1
    A1 --> C1 --> C2

    style T1 fill:#e8f5e9
    style A1 fill:#fff3e0
    style C2 fill:#e3f2fd
</mermaid>

----

===== Runbooks =====

^  Runbook  ^  Description  ^  Duration  ^
| [[.:tls-einrichten|Set Up TLS]] | Enable HTTPS, configure certificates | ~15 min |
| [[.:zertifikat-erneuern|Renew Certificate]] | Renewal process, automation | ~10 min |
| [[.:firewall-regeln|Firewall Rules]] | Access restriction, IP whitelist | ~10 min |

----

===== Security Checklist =====

| # | Check | Priority | Done |
|---|-------|----------|------|
| 1 | TLS/HTTPS enabled | Critical | [ ] |
| 2 | No self-signed certificates in prod | Critical | [ ] |
| 3 | TLS 1.2+ enforced | High | [ ] |
| 4 | Weak ciphers disabled | High | [ ] |
| 5 | Firewall configured | Critical | [ ] |
| 6 | Certificate expiry monitored | High | [ ] |
| 7 | Logs contain no passwords | Critical | [ ] |

----

===== Quick Wins =====

<code bash>
# Check HTTPS status
curl -I https://gateway.example.com/health

# Check TLS version
openssl s_client -connect gateway.example.com:443 -tls1_2
openssl s_client -connect gateway.example.com:443 -tls1_3

# Check certificate expiry
echo | openssl s_client -connect gateway.example.com:443 2>/dev/null | openssl x509 -noout -dates
</code>

----

===== Related Documentation =====

  * [[..:administrator:sicherheit:start|Administrator: Security]] - Architecture
  * [[..:business:sicherheit:start|Business: PQ Security]] - Compliance
  * [[..:..:..:..:..:pqcrypt:szenarien:operator:start|PQ Crypto Operator]] - Post-Quantum

----

<< [[..:start|<- Operator Handbook]] | [[.:tls-einrichten|-> Set Up TLS]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional//

{{tag>operator sicherheit tls zertifikate}}