IAS

INTRO


DEVELOPMENT

* 2026-06-28 Identity graph schema operational
* 2026-06-28 CA/CMP certificate enrollment wizard operational
* 2026-06-28 ABAC trust evaluation rules operational
* 2026-06-28 One-way VPN provisioning and reconciliation operational
* 2026-06-28 Cowboy/N2O/Nitro dashboard operational

ARCHITECTURE

Zencrypted IAS is the central administration, trust, and authorization service for Zencrypted VPN overlay network gateways and endpoints. It coordinates the lifecycle of users, devices, certificates, security profiles, and authorization rules, ensuring that actual network access remains strictly compliant with defined policies.

  • ● ias_domain_store — Persistent KVS model managing the object graph
  • ● ias_device_csr_enrollment — Wizard logic for local CSR upload and CA/CMP certificate enrollment
  • ● ias_vpn_access_lifecycle — Trust evaluation and ABAC policy enforcement engine
  • ● ias_vpn_provisioning_delivery — One-way distributed Erlang RPC config provisioning to VPN gateways
  • ● ias_vpn_reconciliation — Periodic state auditing and reconciliation of orphan VPN configurations

DURABLE STATE & RECONCILIATION

IAS uses Mnesia through the KVS library to maintain a consistent graph of domain objects and relationships. In the event of a system restart, the durable state is completely rehydrated, preventing split-brain or data inconsistency issues. A background reconciliation loop periodically checks the runtime configurations of all connected VPN gateways via RPC. If a configuration exists on a gateway but is not authorized in IAS, it is flagged as an orphan_vpn_config incident and queued for operator decommissioning.

KEY MANAGEMENT & SECURITY

To adhere to military-grade security requirements, IAS isolates private keys. During the provisioning wizard flow, the target client device generates its elliptic curve keypair (secp384r1) and CSR locally. The operator uploads only the CSR, which IAS submits to the Certificate Authority (CA) using CMP or EST. The resulting X.509 certificate is registered in IAS, but the private key never leaves the device and is never stored in the IAS database.



˙