Documentation > CDC > CDC Authentication

Authentication with CDC

Management Realms DevOps Center (CDC) is a multi-tenant cluster manager for networks of nodes.

CDC is able to manage multiple, fully separate and isolated management domains called management realms.

Consequently, each node that is to be managed by CDC needs to be paired with exactly one management realm on CDC first.

A management realm is a realm on CDC dedicated to one larger system of a customer with potentially many thousand nodes attached to and many thousand CDC API clients, like customer operators or tools.

Each management realm is fully isolated from all other management realms, serving different WAMP routing namespaces and with CDC backends running in dedicated processes, effectively preventing any data leakage.


Both nodes and CDC API clients authenticate to CDC via WAMP-cryptosign.

WAMP-cryptosign is a public-private key authentication mechanism based on elliptic curve Curve25519, namely it adopts Ed25519 to authenticate WAMP peers.

User Authentication

For CDC API clients, the public-private keys are generated by the user with ssh-keygen, which is part of the standard OpenSSH package:

ssh-keygen -t ed25519 -f mykey

Important: do NOT set a passphrase. For simple use (like demonstrated here), keys should be protected using filesystem permissions, but otherwise not protected by a passphrase. To use a passphrase with your key, load and unlock your key into OpenSSH agent and use the agent support built into Autobahn for WAMP-cryptosign authentication.

Above will generate 2 files:

  • mykey - the private user key (OpenSSH format)
  • - the public user key (OpenSSH format)

Users are assigned one of the following authentication roles on the respective management realm upon successfull authentication:

  • cdc-guest
  • cdc-devop
  • cdc-admin
  • cdc-owner

Node Authentication

For nodes, the public-private keys are automatically generated when a node first starts:

  • CBDIR/.crossbar/key.priv - the private node key ( format)
  • CBDIR/.crossbar/ - the public node key ( format) nodes need to be paired with CDC first. The node pairing makes the node's public key known to CDC, associates the node with a management realm and assign a node ID to the node.

The node ID is identical to the WAMP authid assigned by CDC during the authentication to the node.

All nodes are assigned the authentication role

  • cdc-node

on the respective management realm after successfull authentication.

CDC Pairing


During the alpha-testing of the first CDC ready release 16.10, pairing of nodes and CDC API clients with CDC is not yet available and provisioning of new management realms and users involves some manual steps beginning with sending us

  • your desired management realm name,
  • the owner's user public key (OpenSSH format) and
  • optionally, one or more node public keys ( format) and
  • optionally, one or more CDC API client public keys (OpenSSH format)

Drop us an email at support at crossbario dot com with subject line alpha-16.10 and we'll setup your management realm on our CDC alpha hosting service and provide you access from Web UIs, command line tools or programmatic and remote access to your nodes.

API based Registration

Displaying keys

The release key (which changes with each release) is displayed together with version information

(cpy351_5) oberstet@thinkpad-t430s:~$ crossbar version
     __  __  __  __  __  __      __     __
    /  `|__)/  \/__`/__`|__) /\ |__)  |/  \
    \__,|  \\__/.__/.__/|__)/~~\|  \. |\__/        : 16.10.dev1
   Autobahn         : 0.16.0 (with JSON, MessagePack, CBOR, UBJSON)
   Twisted          : 16.3.0-EPollReactor
   LMDB             : 0.89/lmdb-0.9.18
   Python           : 3.5.1/CPython
 OS                 : Linux-3.13.0-92-generic-x86_64-with-debian-jessie-sid
 Machine            : x86_64
 Release key        : RWQ2MDk26PKBMNUZG2Jok1tMBB1SKyci+N7dtcep8jrikTl4NvI1Rnux

The node public key is printed when the node starts:

(cpy351_5) oberstet@thinkpad-t430s:~/foo$ crossbar start
2016-08-14T22:25:45+0200 [Controller  20410] New node key pair generated!
2016-08-14T22:25:45+0200 [Controller  20410] File permissions on node public key fixed!
2016-08-14T22:25:45+0200 [Controller  20410] File permissions on node private key fixed!
2016-08-14T22:25:45+0200 [Controller  20410] Node configuration loaded from 'config.json'
2016-08-14T22:25:45+0200 [Controller  20410]      __  __  __  __  __  __      __     __
2016-08-14T22:25:45+0200 [Controller  20410]     /  `|__)/  \/__`/__`|__) /\ |__)  |/  \
2016-08-14T22:25:45+0200 [Controller  20410]     \__,|  \\__/.__/.__/|__)/~~\|  \. |\__/
2016-08-14T22:25:45+0200 [Controller  20410]
2016-08-14T22:25:45+0200 [Controller  20410] Version: 16.10.dev1
2016-08-14T22:25:45+0200 [Controller  20410]     Node Public Key: 0a439d8ec8a36c2a7ecd4388ed6f0221fa6e2e46a8e6c8481ab7950a4dc27735
2016-08-14T22:25:45+0200 [Controller  20410]
2016-08-14T22:25:45+0200 [Controller  20410] Running from node directory '/home/oberstet/foo/.crossbar'

There is also a new crossbar keys command which prints both the release and node key in hex and as a qr code for scanning.