Go directly to contents.
Suomi.fi Data Exchange Layer

The technical details of the containerised security server

A Docker-containerised Security Server Sidecar is one of the Security Server options for the Data Exchange Layer. It can be deployed in a cloud environment, data centre or Linux server. A Security Server Sidecar is suitable for by both Data Exchange Layer service providers and service consumer organisations.

Take these into account in the implementation!

Take these recommendations into account when considering implementing a containerised Security Server.

Use the same X-road version as the Suomi.fi Data Exchange Layer's central servers are using.

Use only Docker images customised for the Suomi.fi Data Exchange Layer.

  • Make sure that the installation package has a ‘fi’ identifier. The ‘fi’ identifier means that the image has preconfigured settings that work in the Data Exchange Layer.

When using the Data Exchange Layer to provide services, use the Sidecar -fi versions of the images.

  • We recommend that service providers use a Sidecar image that contains all the features. Organizations that only use the services of the Data Exchange Layer can use the Sidecar slim version. The slim images do not have the features required for message logging or monitoring. Consider your organisation’s logging needs when selecting a version.

Ensure that your security and privacy requirements are met in your chosen environment.

  • For example, the type of data processed on the Security Server may restrict the geographical locations in which the data may be processed. This limitation may also come from outside your organization.

Select the same Security Server option for both the test and production environment.

  • It is technically possible to use different Security Server options, such as a containerised Security Server in a test environment and a host server Security Server in a production environment. However, in order to facilitate maintenance and minimise faults, we recommend that test and production environments are identical. This helps also in installing updates, for example.

Be sure to keep the containerised Security Server up-to-date.

  • In the future, the Sidecar software will update synchronously as other X-Road updates.

Also pay attention to:

  • The guidelines and implementation examples are designed for the AWS environment with the Kubernetes platform.
  • In the production environment, we only support the use of Linux. We have not tested the Windows or MacOS platform or support them, but they can be used for testing purposes in a development environment.

Technical requirements

Install Docker before installing a Security Server Sidecar. Learn more about installing DockerOpens in a new window..

You can find guidelines for Sidecar Kubernetes hereOpens in a new window..

Please note that we only support Linux platforms in our production environment, so install a version of Docker for Linux.

Minimum requirements for the platform:

  • CPUs: 2
  • Memory: 2 GB
  • Disk space: 2 GB

Read more about the technical requirements.Opens in a new window.

Despite the fact that Docker technology itself makes it possible to run containers even on a laptop, all Security Servers must always be installed on a server machine due to the requirements of the Data Exchange Layer.

The instructions and examples apply to the AWS platform in the Kubernetes environment. We offer instructions for load balancing, information security, redundancy, database implementation and clustering.

How to deploy a Security Server Sidecar

Follow the installation instructions on GithubOpens in a new window..

Look after your information security. Read Docker's best practices for ensuring securityOpens in a new window.. We also offer a comprehensive security guide for the Security ServerOpens in a new window. that reviews key security policies.

You can find the information security guidelines for Kubernetes hereOpens in a new window..

The configuration of the Security Server is done in the same way as in other Data Exchange Layer Security Server options. Read about the Security Server configuration.

Available Docker images

Sidecar -fi image

  • Intended both service providers and data users in the Data Exchange Layer
  • Contains all features and is therefore better suited for service providers than Sidecar slim.

Sidecar slim -fi image

  • Only intended only for using the services of the Data Exchange Layer
  • Does not include monitoring features or message logging, so Sidecar slim is slightly smaller than the Sidecar -fi image
  • Does not support configuring a Time Stamping Authority (TSA), but the security server operates normally without a TSA

Separate images exist for implementing clustering and load balancing for both the Sidecar -fi and Sidecar slim -fi versions

  • Sidecar -fi and Sidecar slim -fi primary
  • Sidecar -fi and Sidecar slim -fi secondary

All images can be downloaded free of charge from the NIIS Docker HubOpens in a new window.. Only use images with a ‘-fi’ suffix, as they are customised for the Data Exchange Layer.

Docker images suitable for the Data Exchange Layer

You can use multiple versions of Docker images depending on your organisation’s needs. Each version contains a customised set of X-Road Security Server software modules. Depending on the version, the image only contains basic modules of the X-Road, or basic and complementary modules.

You can find descriptions of all images in Github:

The intended purposes of each image are summarised in the list below.

Base images

Sidecar slim -fi – niis/xroad-security-server-sidecar: -slim-fi

  • Intended for Data Exchange Layer service consumer organisations not service provider organisations.
  • Only contains the minimum packages and configuration required to operate the Security Server.
  • Monitoring and logging features are not included in this image.
  • A TSA cannot be configured with a Sidecar slim.

Sidecar -fi – niis/xroad-security-server-sidecar: -fi

  • Intended for use by both service providers and data users in the Data Exchange Layer
  • Uses Sidecar Slim as the base image, but also contains logging and monitoring packages (both operational monitoring and environmental monitoring)

Images required for Kubernetes load balancing

Separate images exist for implementing clustering and load balancing for both the Sidecar -fi and Sidecar slim -fi versions. The images enable you to use a primary pod and secondary pods.

Sidecar slim primary -fi – niis/xroad-security-server-sidecar: -slim-primary-fi

  • Intended for deploying a Primary Pod required for Kubernetes load balancing
  • For Data Exchange Layer service consumer organisations, not service provider organisations.

Sidecar slim secondary -fi – niis/xroad-security-server-sidecar: -slim-secondary-fi

  • Intended for deploying a Secondary Pod required for Kubernetes load balancing
  • For Data Exchange Layer service consumer organisations, not service provider organisations.

Sidecar primary -fi – niis/xroad-security-server-sidecar: -primary-fi

  • Intended for deploying a Primary Pod required for Kubernetes load balancing
  • Suitable for both Data Exchange Layer service provider and service consumer organisations.
  • Includes message logging and monitoring (operational monitoring)

Sidecar secondary -fi – niis/xroad-security-server-sidecar: -secondary-fi

  • Intended for deploying a Primary Pod required for Kubernetes load balancing
  • Suitable for both Data Exchange Layer service provider and service consumer organisations.
  • Includes message logging and monitoring (operational monitoring)

Maintaining a Security Server Sidecar

Read about maintaining a Security Server SidecarOpens in a new window. in GitHub.

Remember to keep the versions of your Security Server Sidecars up to date. More information about technical maintenance.

Updated: 7/10/2024

Are you satisfied with the content on this page?