App credentials and tokens
Each Microsegmentation Console has its own private certificate authority (CA) capable of issuing X.509 certificates to authorized clients upon request. It uses public-private key cryptography to ensure that private keys never travel the wire. Authorized clients can use X.509 certificates issued by the Microsegmentation Console CA to access the Microsegmentation Console API. We call these app credentials. They allow the client:
- Access to the authorized namespace and its children
- Read-write permissions as per Microsegmentation role
App credentials expire ten years from the date of issuance. They require a mutual TLS connection to the Microsegmentation Console. TLS-intercepting middleboxes must be configured to exclude communications between the client and the Microsegmentation Console.
The Microsegmentation Console also issues and accepts Microsegmentation tokens (JSON web tokens) for authentication. You can set various restrictions such as limited permissions and short validity to reduce risk from man-in-the-middle attacks.