|
|
|
KIK-Starter comprises a number of components that also communicate internally and externally. Logically, there are 2-4 components: The KIK-Starter Decentraal (the component installed on the user machine) and the KIK-Starter Centraal (a component running at ZiN only). There are two central supporting components, Keycloak SSO and KIK-Registratie. In addition, the end-user browser will be talking to various parts of these components.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The applications are split up into three networks: The ZiN cloud hosting central components, the ZA datacenter where the KIK-Starter docker image is hosted, and the ZA client network where the end-user is sitting with their computer and work with KIK-Starter. The two last may be a single network, two entirely different networks separated by the internet, or a different zones within a single network (e.g., the KIK-Starter may run in a DMZ and the browser in an internal network).
|
|
|
|
|
|
|
|
Arrows indicate the direction of flow of data (ignoring control information). The below matrix indicates who initiates the connectivity. Connectivity internal to the ZiN cloud (including load balancers) are not included in the matrix; all use HTTPS with TLS 1.2.
|
|
|
|
|
|
|
|
| source | destination | destination port | protocol |
|
|
|
|
| ------ | ------ | ------ | ------ |
|
|
|
|
| Decentraal Docker | Centraal | 443 | https |
|
|
|
|
| Decentraal Docker | SSO | 443 | https |
|
|
|
|
| Browser | Decentraal Docker | 80/443 *) | http/https *) |
|
|
|
|
| Browser | KIK-Registratie | 443 | https |
|
|
|
|
| Browser Docker | SSO | 443 | https |
|
|
|
|
|
|
|
|
*) these connections are either via http (port 80) or https (port 443). It is up to the configuration of the Docker image which is exposed and used.
|
|
|
|
|
|
|
|
The Docker image exposes ports 80, 443. More ports are open for technical purposes only and should not be exposed for normal usage (ports 8080, 8281, 8778, 9779). |
