Security and communications
Puppet Enterprise (PE) services and components use a variety of communication and security protocols.
| Service/Component | Communication Protocol | Authentication | Authorization |
|---|---|---|---|
| Puppet Server | HTTPS | SSL certificate verification with Puppet CA | trapperkeeper-auth |
| Certificate Authority | HTTPS | SSL certificate verification with Puppet CA | trapperkeeper-auth |
| Puppet agent | HTTPS | SSL certificate verification with Puppet CA | n/a |
| PuppetDB | HTTPS externally, or HTTP on the loopback interface | SSL certificate verification with Puppet CA | SSL certificate allow list |
| PostgreSQL | PostgreSQL TCP, SSL for PE | SSL certificate verification with Puppet CA | SSL certificate allow list |
| Activity service | HTTPS | SSL certificate verification with Puppet CA, token authentication | RBAC user-based authorization |
| RBAC | HTTPS | SSL certificate verification with Puppet CA, token authentication | RBAC user-based authorization |
| Classifier | HTTPS | SSL certificate verification with Puppet CA, token authentication | RBAC user-based authorization |
| Console Services UI | HTTPS | Session-based authentication | RBAC user-based authorization |
| Orchestrator | HTTPS, Secure web sockets | RBAC token authentication | RBAC user-based authorization |
| PXP agent | Secure web sockets | SSL certificate verification with Puppet CA | n/a |
| PCP broker | Secure web sockets | SSL certificate verification with Puppet CA | trapperkeeper-auth |
| File sync | HTTPS | SSL certificate verification with Puppet CA | trapperkeeper-auth |
| Code Manager | HTTPS; can fetch code remotely via HTTP, HTTPS, and SSH (via Git) | RBAC token authentication; for remote module sources, HTTP(S) Basic or SSH keys | RBAC user-based authorization; for remote module sources, HTTP(S) Basic or SSH keys |
