Embedded Files
Cloud Server Compliance
Cloud Server Compliance
Different-Types-of-Data-Protection_WhitePage-v3.pdfSSAE18.SOC 2 Type 2 Report.2019.pdfPCI-Databank Penetration Test Report Exceutive and Customer Summary.pdfDataBankCP_Penetration_Test_Report_v1.2_FINAL_04272018.pdfSoftware/firmware
Software/firmware
SAM Enterprise
SAM Enterprise
The SAM Enterprise cloud server uses the following software stack:
Web client: HTML5, Bootstrap & jQuery
Server: Java 8 Webserver
Database: MySQL, NoSQL Document Storage
On project setup we test record add/edit, report generation, and any client specific workflows. We do regular QA testing on a staging server before pushing to production. Updates to SAM Enterprise will be provided as needed to the cloud server. This may include security updates as well as updates to enhance the functionality and performance. Updates to the client's project data model will occur on the database server.
Both the production application server and database server are behind a Cisco Adaptive Security Virtual Appliance Secure firewall. Updates are delivered through a secure VPN session enabled through a 2FA authentication procedure. Updates may be deployed to the HTML5 front-end, the Java backend, or the MySQL database server.
For more information on the SAM Enterprise application, visit our about page.
Fixed RFID Readers
Fixed RFID Readers
The two supported devices, the ImpinJ Roadway and the Alien F800 readers will be supplied with updates to the firmware as needed. The firmware will be updated at the time of deployment. Any additional security updates to firmware, development tools, and SDKs provided by the OEM may be downloaded and installed as needed from the following support sites:
For detailed technical documentation on specification, configuration, and network communication visit our Fixed RFID Reader page.
Mobile RFID Readers
Mobile RFID Readers
SAM supports the use of the ATID 870 and Android based RFID readers with SAM Mobile. Any software/OS used in conjunction with these devices will be provided with the latest updates at the time of deployment.
The ATID 870 utilizes the Windows Mobile Device Center in conjunction with SAM Sync to sync updates to the cloud application. Communications between SAM Mobile and SAM Enterprise are outlined in the communications diagram on our Fixed RFID Reader page. For detailed technical documentation on specification and configuration of software used in conjunction with this device visit our SAM Mobile Installation page.
Our Android based RFID readers utilize an Android specific release of SAM Mobile. Updates to the Android OS are provided in conjunction with Google and the OEM and are provided automatically upon establishment of an internet connection. Updates to SAM Mobile on Android, in conjunction with appropriate updates to the underlying SDK will be provided as needed through a direct .APK download or an appropriate Digital Distribution Service.
Ports & Protocols
Ports & Protocols
Web Server
Web Server
Client/Server Communication
HTTP(s) - port 80/443 default
Tag Stream from Fixed Reader
Alien F800
TCP/IP Connection - Port 4000 (default)
ImpinJ Speedway
LLRP - Port 5084
Fixed Reader Command Communication
Alien F800
Alien Reader Command Protocol - Port 23 (default)
Database Communication
JDBC - Port 3306 (default)
Fixed RFID Readers
Fixed RFID Readers
Tag Stream to Server
Alien F800
TCP/IP Connection - Port 4000 (default)
ImpinJ Speedway
LLRP - Port 5084
Command Communication
Alien F800
Alien Reader Command Protocol - Port 23 (default)
ImpinJ Speedway
RShell - Port 22
Web Portal
HTTP - Port 80
Mobile RFID Readers
Mobile RFID Readers
Client/Server Communication
HTTP(S) - port 80/443 (default)
Encryption
Encryption
Client Server Communication
Client Server Communication
SAM Enterprise makes use of the standard SSL protocol for encrypting communications between clients and the server.
Data at Rest
Data at Rest
Sensitive information stored in the SAM configuration file is encrypted using AES encryption. The server will encrypt this information on server startup.
The MySQL server in use by SAM can support "Data at Rest" encryption for clients who require database level encryption. It uses a two tier encryption key architecture, consisting of a master encryption key and tablespace keys. When a tablespace is encrypted, a tablespace key is encrypted and stored in the tablespace header. When an application or authenticated user wants to access encrypted data, The database engine uses a master encryption key to decrypt the tablespace key. The decrypted version of a tablespace key never changes, but the master encryption key can be changed as required. This action is referred to as master key rotation.
The data-at-rest encryption feature supports the Advanced Encryption Standard (AES) block-based encryption algorithm. It uses Electronic Codebook (ECB) block encryption mode for tablespace key encryption and Cipher Block Chaining (CBC) block encryption mode for data encryption.
Authentication/Authorization
Authentication/Authorization
SAM has two primary authentication methods:
1. Direct authentication
2. AD authentication through LDAP
SAM supports user authorization through the use of groups. There may be one to many groups with different levels of access provided by users of said group. Admin users have access to view and update records along with special administrative abilities to manage admin level objects like locations, fixed RFID readers, users, and groups. Subsequent groups can be configured to have view only privileges or update and view privileges to a select subset of record types.
To authenticate, the SAM front-end makes a JSON RPC request to the following endpoint:
@method "auth.simpleLogin "
@param (String): $userName
@param (String): $password
{"jsonrpc":"2.0","id":"1","method":"auth.simpleLogin","params":["<username>","<password>"]}
This request returns the following response:
{
"jsonrpc": "2.0",
"id": "1",
"result": {
"refreshToken": "<refresh_token>",
"accessToken": "<access_token>",
"selectedProject": "<project_name>",
"userProjects": ["<project_name>",
],
"usergroup": "<user_group>",
"username": “<user_name>",
"locationIDs": <location_ids>
}
}
The response returns a temporary access token used for subsequent authentications.
Direct Authentication
Direct Authentication
The direct authentication checks the credentials against the SAM user table. SAM stores user passwords as a salted hash using PBKDF2 with Hmac. Users have a limited number of login attempts until they are locked out. If a particular username or a particular IP fails authentication multiple times, they will be locked out until a certain time period has elapsed. Once authenticated, SAM will generate a valid temporary access token to be used for subsequent requests.
LDAP Authentication
LDAP Authentication
To authenticate against Active Directory, SAM can utilize the LDAP protocol instead of the SAM database directly. To enable LDAP, go to the admin menu within SAM and set “useLDAP” to “true”.
The following settings need to be set in order for SAM to properly connect through LDAP:
LDAPURL
- Description: An LDAP URL is a URL that begins with the ldap:// protocol prefix (or ldaps://, if the server is communicating over an SSL connection) and specifies a search request to be sent to an LDAP server. - Example: ldap[s]://<hostname>:<port>/
LDAPDomain
- Description: The DNS name of a domain in the same forest as the user object.
LDAPGroups
- Description: Comma separated list of valid group mappings that can have authorization - Example: LDAPGroup1:SAMGroup1,LDAPGroup2:SAMGroup2
The LDAP integration retrieves an AuthContext by padding in the username and password using simple authentication. Once authenticated, SAM will generate a temporary access token for subsequent requests by the SAM front-end.
Page updated
Google Sites
Report abuse