Skip to main content

Overview

FreeTAKServer implements multiple layers of security:
  • SSL/TLS Encryption: Secure communications using X.509 certificates
  • Client Certificate Authentication: Mutual TLS authentication for TAK clients
  • Token-Based Authentication: Bearer tokens for REST API access
  • Certificate Revocation: Certificate Revocation List (CRL) support
  • User Management: System and API user authentication

SSL/TLS Configuration

SSL/TLS encryption is essential for protecting tactical data in production deployments.

Certificate Paths

certsPath
string
default:"/opt/fts/certs"
Root directory for all certificates and keysEnvironment variable: FTS_CERTS_PATHYAML: Filesystem.FTS_CERTS_PATH

Server Certificate

keyDir
string
default:"/opt/fts/certs/server.key"
Path to server private key (PEM format)Environment variable: FTS_SERVER_KEYDIRYAML: Certs.FTS_SERVER_KEYDIR
pemDir
string
default:"/opt/fts/certs/server.pem"
Path to server certificate (PEM format)Environment variable: FTS_SERVER_PEMDIRYAML: Certs.FTS_SERVER_PEMDIR
unencryptedKey
string
default:"/opt/fts/certs/server.key.unencrypted"
Path to unencrypted server key (used internally by services)Environment variable: FTS_UNENCRYPTED_KEYDIRYAML: Certs.FTS_UNENCRYPTED_KEYDIR
p12Dir
string
default:"/opt/fts/certs/server.p12"
Path to PKCS#12 format certificate bundle (includes private key and certificate)Environment variable: FTS_SERVER_P12DIRYAML: Certs.FTS_SERVER_P12DIR

Certificate Authority (CA)

CA
string
default:"/opt/fts/certs/ca.pem"
Path to Certificate Authority certificateEnvironment variable: FTS_CADIRYAML: Certs.FTS_CADIR
CAkey
string
default:"/opt/fts/certs/ca.key"
Path to Certificate Authority private key (for signing client certificates)Environment variable: FTS_CAKEYDIRYAML: Certs.FTS_CAKEYDIR

Test Client Certificates

testPem
string
default:"/opt/fts/certs/server.key"
Path to test client certificateEnvironment variable: FTS_TESTCLIENT_PEMDIRYAML: Certs.FTS_TESTCLIENT_PEMDIR
testKey
string
default:"/opt/fts/certs/server.pem"
Path to test client private keyEnvironment variable: FTS_TESTCLIENT_KEYDIRYAML: Certs.FTS_TESTCLIENT_KEYDIR

Client Certificate Password

password
string
default:"supersecret"
Password used when generating client certificate packages (P12 files)Environment variable: FTS_CLIENT_CERT_PASSWORDYAML: Certs.FTS_CLIENT_CERT_PASSWORD
Change the default client certificate password in production! This password protects client certificate files.

Client Certificate Packages

ClientPackages
string
default:"/opt/fts/certs/clientPackages"
Directory for storing generated client certificate packagesEnvironment variable: FTS_CLIENT_PACKAGES_PATHYAML: Filesystem.FTS_CLIENT_PACKAGES_PATH

Certificate Revocation

CRLFile
string
default:"/opt/fts/certs/FTS_CRL.json"
Path to Certificate Revocation List (CRL) file in JSON formatEnvironment variable: FTS_CRLDIRYAML: Certs.FTS_CRLDIR
The CRL allows administrators to revoke compromised or unauthorized client certificates.

CRL File Format

{
  "revoked_certificates": [
    {
      "serial_number": "1A2B3C4D5E6F",
      "revocation_date": "2024-03-04T10:00:00Z",
      "reason": "compromised"
    },
    {
      "serial_number": "9F8E7D6C5B4A",
      "revocation_date": "2024-03-03T15:30:00Z",
      "reason": "privilege_withdrawn"
    }
  ]
}

Federation Security

federationCert
string
default:"/opt/fts/certs/server.pem"
Certificate used for federation connections with other TAK serversEnvironment variable: FTS_FEDERATION_CERTDIRYAML: Certs.FTS_FEDERATION_CERTDIR
federationKey
string
default:"/opt/fts/certs/server.key"
Private key for federation connectionsEnvironment variable: FTS_FEDERATION_KEYDIRYAML: Certs.FTS_FEDERATION_KEYDIR
federationKeyPassword
string
default:"defaultpass"
Password for the federation private keyEnvironment variable: FTS_FEDERATION_KEYPASSYAML: Certs.FTS_FEDERATION_KEYPASS

REST API Authentication

The REST API uses HTTP Bearer token authentication.

Secret Key

SecretKey
string
default:"vnkdjnfjknfl1232#"
Secret key for cryptographic operations, session management, and token signingEnvironment variable: FTS_SECRET_KEYYAML: System.FTS_SECRET_KEY
The default SecretKey MUST be changed in production! Generate a cryptographically secure random string.

WebSocket Key

websocketkey
string
default:"YourWebsocketKey"
Authentication key for WebSocket connectionsEnvironment variable: FTS_WEBSOCKET_KEYYAML: Certs.FTS_WEBSOCKET_KEY

Authentication Implementation

From FreeTAKServer/services/rest_api_service/controllers/authentication.py: 
from flask_httpauth import HTTPTokenAuth

auth = HTTPTokenAuth(scheme='Bearer')

@auth.verify_token
def verify_token(token):
    # Verify against APIUser table
    output = dbController.query_APIUser(query=f'token = "{token}"')
    if output:
        return output[0].Username
    
    # Verify against SystemUser table
    output = dbController.query_systemUser(query=f'token = "{token}"')
    if output:
        # Log API call
        dbController.create_APICall(
            user_id=output[0].uid,
            timestamp=datetime.now(),
            content=request.data,
            endpoint=request.base_url
        )
        return output[0].name

User Types

SystemUser: Administrative users with full access
  • Stored in SystemUser table
  • Default admin user created on first run
  • All API calls are logged
APIUser: Application users with limited access
  • Stored in APIUser table
  • Created via user management API
  • No automatic logging

CLI Access Control

CLIIP
string
default:"127.0.0.1"
IP address for CLI access interface
AllowCLIIPs
list
default:"[127.0.0.1]"
Whitelist of IP addresses allowed to access the CLI interfaceEnvironment variable: FTS_CLI_WHITELIST (colon or comma separated)YAML: Addresses.FTS_CLI_WHITELIST
Example: 
Addresses:
  FTS_CLI_WHITELIST: ["127.0.0.1", "192.168.1.0/24", "10.0.0.5"]

SSL/TLS Timeouts

From FreeTAKServer/core/configuration/ReceiveConnectionsConstants.py: 
WRAP_SSL_TIMEOUT = 1.0  # Timeout for SSL handshake
SSL_SOCK_TIMEOUT = 60   # Timeout for SSL socket operations
These values control SSL/TLS connection behavior:
  • WRAP_SSL_TIMEOUT: Maximum time to complete SSL handshake
  • SSL_SOCK_TIMEOUT: Maximum idle time for established SSL connections

Security Configuration Examples

Development Environment

System:
  FTS_SECRET_KEY: "dev-secret-key-not-for-production"

Addresses:
  FTS_COT_PORT: 8087  # Unencrypted for testing
  FTS_API_ADDRESS: "127.0.0.1"  # Local only
  FTS_CLI_WHITELIST: ["127.0.0.1"]

Certs:
  FTS_CLIENT_CERT_PASSWORD: "test123"
Development environments can use unencrypted connections for convenience, but production deployments should always use SSL/TLS.

Production Environment

System:
  FTS_SECRET_KEY: "Km9pR3tX8vL2nQ5wY7aE1cH4uD6gF0iJ3bN8mP5sT7zA"  # Strong random key

Addresses:
  FTS_SSLCOT_PORT: 8089  # SSL only
  FTS_HTTPS_TAK_API_PORT: 8443  # HTTPS only
  FTS_API_ADDRESS: "0.0.0.0"
  FTS_CLI_WHITELIST: ["10.0.0.0/8", "192.168.1.100"]  # Restricted IPs

Certs:
  FTS_CERTS_PATH: "/opt/fts/certs"
  FTS_SERVER_KEYDIR: "/opt/fts/certs/production-server.key"
  FTS_SERVER_PEMDIR: "/opt/fts/certs/production-server.pem"
  FTS_CADIR: "/opt/fts/certs/production-ca.pem"
  FTS_CAKEYDIR: "/opt/fts/certs/production-ca.key"
  FTS_CLIENT_CERT_PASSWORD: "Zx9C7v5B3nM1qW8eR4tY6uI0oP2aS5dF"  # Strong password
  FTS_CRLDIR: "/opt/fts/certs/production-crl.json"
  FTS_FEDERATION_CERTDIR: "/opt/fts/certs/federation.pem"
  FTS_FEDERATION_KEYDIR: "/opt/fts/certs/federation.key"
  FTS_FEDERATION_KEYPASS: "H4gF7jK9lP2mN5qR8tW1yU3xC6vB0zA"  # Strong password

Certificate Generation

Generate CA Certificate

# Generate CA private key
openssl genrsa -out /opt/fts/certs/ca.key 4096

# Generate CA certificate
openssl req -new -x509 -key /opt/fts/certs/ca.key \
  -out /opt/fts/certs/ca.pem -days 3650 \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=FTS-CA"

Generate Server Certificate

# Generate server private key
openssl genrsa -out /opt/fts/certs/server.key 2048

# Generate certificate signing request
openssl req -new -key /opt/fts/certs/server.key \
  -out /opt/fts/certs/server.csr \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=fts.example.com"

# Sign with CA
openssl x509 -req -in /opt/fts/certs/server.csr \
  -CA /opt/fts/certs/ca.pem -CAkey /opt/fts/certs/ca.key \
  -CAcreateserial -out /opt/fts/certs/server.pem -days 365

# Create unencrypted key copy
cp /opt/fts/certs/server.key /opt/fts/certs/server.key.unencrypted

Generate Client Certificate

# Generate client private key
openssl genrsa -out /opt/fts/certs/client.key 2048

# Generate certificate signing request
openssl req -new -key /opt/fts/certs/client.key \
  -out /opt/fts/certs/client.csr \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=client-001"

# Sign with CA
openssl x509 -req -in /opt/fts/certs/client.csr \
  -CA /opt/fts/certs/ca.pem -CAkey /opt/fts/certs/ca.key \
  -CAcreateserial -out /opt/fts/certs/client.pem -days 365

# Create P12 bundle for distribution
openssl pkcs12 -export -out /opt/fts/certs/client.p12 \
  -inkey /opt/fts/certs/client.key \
  -in /opt/fts/certs/client.pem \
  -certfile /opt/fts/certs/ca.pem \
  -password pass:supersecret

User Management

Create API User

from FreeTAKServer.core.persistence.DatabaseController import DatabaseController
import secrets

db = DatabaseController()

# Generate secure token
token = secrets.token_urlsafe(32)

# Create API user
db.create_APIUser(
    Username="api_operator",
    Password="hashed_password_here",  # Use proper password hashing
    token=token
)

Create System User

db.create_systemUser(
    uid=str(uuid4()),
    name="operator_01",
    password="hashed_password_here",
    token=secrets.token_urlsafe(32),
    device_type="desktop"
)

Using API Authentication

# Authenticate and receive token
curl -X POST https://fts.example.com:19023/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"api_operator","password":"securepass"}'

# Use token for subsequent requests
curl -X GET https://fts.example.com:19023/api/users \
  -H "Authorization: Bearer your-token-here"

Certificate Revocation Process

Add Certificate to CRL

import json
from datetime import datetime

# Read existing CRL
with open('/opt/fts/certs/FTS_CRL.json', 'r') as f:
    crl = json.load(f)

# Add revoked certificate
crl['revoked_certificates'].append({
    'serial_number': '1A2B3C4D5E6F',
    'revocation_date': datetime.utcnow().isoformat() + 'Z',
    'reason': 'compromised'
})

# Write updated CRL
with open('/opt/fts/certs/FTS_CRL.json', 'w') as f:
    json.dump(crl, f, indent=2)

Revocation Reasons

  • unspecified: No specific reason given
  • key_compromise: Private key has been compromised
  • ca_compromise: CA has been compromised
  • affiliation_changed: User’s affiliation has changed
  • superseded: Certificate has been replaced
  • cessation_of_operation: Certificate is no longer needed
  • privilege_withdrawn: User privileges have been revoked

File Permissions

Proper filesystem permissions are critical for security: 
# Set ownership
sudo chown -R fts:fts /opt/fts/certs

# Secure private keys (read-only for owner)
sudo chmod 400 /opt/fts/certs/*.key
sudo chmod 400 /opt/fts/certs/ca.key

# Secure certificates (readable by group)
sudo chmod 444 /opt/fts/certs/*.pem
sudo chmod 444 /opt/fts/certs/ca.pem

# Secure client packages directory
sudo chmod 750 /opt/fts/certs/clientPackages

# Secure CRL file
sudo chmod 644 /opt/fts/certs/FTS_CRL.json

Security Best Practices

Never commit certificates, private keys, or passwords to version control systems.
Always change default passwords and secret keys before deploying to production.
Generate cryptographically secure random strings for SecretKey, password, and federationKeyPassword using openssl rand -base64 32 or similar tools.

Mandatory Production Security Measures

  1. Change all default passwords and keys
    • SecretKey
    • password (client certificate password)
    • federationKeyPassword
    • Default admin user credentials
  2. Use SSL/TLS encryption
    • Enable SSL CoT service (port 8089)
    • Enable HTTPS TAK API (port 8443)
    • Disable unencrypted services in production
  3. Implement certificate management
    • Generate unique certificates for production
    • Use strong key lengths (2048-bit minimum, 4096-bit recommended)
    • Set appropriate certificate expiration dates
    • Implement certificate rotation procedures
  4. Configure access controls
    • Restrict CLI access with AllowCLIIPs
    • Use firewall rules to limit service access
    • Implement network segmentation
  5. Secure filesystem
    • Set restrictive permissions on certificate files
    • Protect private keys (chmod 400)
    • Regular security audits of file permissions
  6. Monitor and log
    • Enable API call logging
    • Monitor certificate expiration dates
    • Review access logs regularly
    • Implement intrusion detection
  7. Certificate revocation
    • Maintain current CRL
    • Implement certificate revocation procedures
    • Test revocation process regularly
  8. Backup security
    • Encrypt backups containing certificates
    • Secure backup storage locations
    • Test backup restoration procedures
  9. Update and patch
    • Keep FreeTAKServer updated
    • Monitor security advisories
    • Apply security patches promptly
  10. Physical security
    • Secure server physical access
    • Protect certificate storage media
    • Implement secure key disposal procedures

Security Checklist

Before deploying to production:
  • Changed default SecretKey
  • Changed default client certificate password
  • Changed default admin credentials
  • Generated production CA certificate
  • Generated production server certificates
  • Configured SSL CoT service
  • Configured HTTPS TAK API
  • Disabled unencrypted services
  • Set appropriate file permissions
  • Configured AllowCLIIPs whitelist
  • Implemented firewall rules
  • Tested certificate revocation
  • Configured backup encryption
  • Documented certificate procedures
  • Tested disaster recovery procedures

Build docs developers (and LLMs) love

Get started for freeTalk to us