Xiid Connectors

TIP

In Xiid SaaS deployments, Connectors are fully managed by Xiid, and this documentation may be disregarded. This documentation only applies to self-hosted Xiid Connector deployments.

Xiid Connectors sit at the front lines of the Xiid platform and stitch together the outbound-only connections between two STLinks.

Xiid Connectors are purpose-built to actively mitigate malicious attacks (e.g. DDOS, Slowloris) and ensure high availability and up-time.

Connectors do not store sensitive information and all data that flows through a Connector between two STLink endpoints is secured with two layers of end-to-end, quantum-secure encryption. As a result, even if a Connector is ever compromised, the communicating endpoints and the data they exchange over SealedTunnel remains safe.

In self-hosted or self-managed Connector deployments, the Connector Portal is used to manage and configure Xiid Connector Customers, settings, and configurations.

Network Topology

DANGER

Since Connectors can receive inbound traffic, deploy them outside the enterprise network.

Connectors are the only component in the Xiid platform that requires inbound access. Consequently, Xiid always recommends that Connectors be deployed completely outside of the enterprise network.

This can be on a separate on-premise network, an isolated network segment in a network (less preferable), or a separate cloud network.

Connectors require inbound access on port 443 and 50991 for HTTPS REST API requests coming from Commanders or STLinks that you've deployed.

There should not be any other inbound ports or network access granted to the Connector machines. You can use the SealedTunnel via an STLink to remotely access the Connectors, either through Remote Desktop Protocol (RDP) or Secure Shell (SSH).

DNS and SSL

The Xiid Connector software requires an SSL certificate. A wildcard certificate is the easiest method for managing the Connectors, particularly for multi-Connector deployments, but is not required. Some highly regulated environments may require individual SSL certificates for each Connector node and the Xiid Connector software supports this configuration as well.

Each Connector will need its own host name and domain name tied to the certificate. For instance, if you are deploying 3 Connectors and have a wildcard certificate for example.com, you will need to define separate host names for all three Connectors: conn01.example.com, conn02.example.com, and conn03.example.com.

When you deploy Connectors, you will need two pieces of information:

• The public IP address of the Connector machine, used by other components to reach the Connector Service and for other Connectors not in the same cluster to communicate with the Connector.
• The private IP address of the Connector machine, used for intra-cluster communication and is only used by other Connector nodes in the same cluster.

The Connectors need to have individual DNS A-records pointing to the public IP addresses of each Connector respectively. For instance, in the above example, you will need a DNS A-record for conn01.example.com which points to the public IP address of that machine, conn02.example.com pointing to the public IP of the second machine, and conn03.example.com pointing to the public IP address of the third machine.

There is also a fourth DNS A-record which is required for the Xiid platform. In the event a Connector node goes down, the other Xiid components need to know where every Connector in an environment is located so that the STLink and Commander components can automatically switch to an online and available Connector.

We call this the Geocluster, because it is the cluster of all Connector clusters spread out across the Xiid platform. As a convention, the Geocluster is often associated with the 00 hostname, so using our above example, the Geocluster would be conn00.example.com.

The Geocluster DNS A-record points to the public IP address of all Connector machines in the environment. Using our above example, the Geocluster for this environment would be: conn00.example.com -> 16.XX.XX.XX, 15.XX.XX.XX, 14.XX.XX.XX, where 16.XX.XX.XX is the public IP address of the Connector Service conn01.example.com, 15.XX.XX.XX is the public IP address of conn02.example.com, and 14.XX.XX.XX is the public IP address of conn03.example.com.

Xiid Certificates

In addition to the SSL certificate used to bind the service and route through DNS, Xiid's Connectors also use additional certificates, called Xiid Certificates, created during the installation process through requests to the Xiid Certificate Authority. These certificates are managed by Xiid and provided for use specifically with the Xiid Geonode Service.