BSFG Identity Model

Audience: Security architects, infrastructure engineers. Use: Define zone identity, certificate, and account-scoping rules for BSFG nodes.

Zone Identity Principle

Each zone has a zone identity derived from deployment configuration, not from application semantics or network location. The zone identity is:

Stable: Does not change across deployments or restarts
Unique: Each zone has exactly one identity
Auditable: Appears in logs, certificates, and RPC headers

Zone Identity Examples

enterprise-bsfg      (Enterprise zone)
idmz-bsfg           (IDMZ zone)
plant-a-bsfg        (Plant A zone)
plant-b-bsfg        (Plant B zone)

Naming Convention

Zone names follow the pattern: <deployment-context>-bsfg

deployment-context = IDMZ subnet name, plant code, or business unit (e.g., enterprise, plant-a, idmz)
-bsfg = suffix to clearly identify as a BSFG boundary node

Alternative formats (if preferred):

With FQDN suffix: bsfg-enterprise.example.com
With datacenter: dc1-plant-a-bsfg

mTLS Certificates

Each BSFG node has an mTLS certificate whose Subject CN (Common Name) is the zone identity.

Certificate Structure

Subject:
  CN=enterprise-bsfg
  O=MyOrganization
  OU=Operations
  L=Headquarters
  ST=StateOrProvince
  C=CountryCode

SubjectAltName (SAN):
  DNS: bsfg-enterprise.example.com
  DNS: bsfg-ent.local
  IP: 10.0.1.10

Key Usage:
  TLS Web Server Authentication
  TLS Web Client Authentication

Issuer:
  CN=MyOrganization-CA
  O=MyOrganization

Certificate Generation

Example (using openssl):

# Generate private key
openssl genrsa -out enterprise-bsfg.key 4096

# Generate CSR (Certificate Signing Request)
openssl req -new \
  -key enterprise-bsfg.key \
  -out enterprise-bsfg.csr \
  -subj "/CN=enterprise-bsfg/O=MyOrg/C=US"

# Sign with CA (assume CA cert and key exist)
openssl x509 -req \
  -in enterprise-bsfg.csr \
  -CA ca.crt \
  -CAkey ca.key \
  -CAcreateserial \
  -out enterprise-bsfg.crt \
  -days 365 \
  -sha256 \
  -extfile <(echo "subjectAltName=DNS:bsfg-ent.local,IP:10.0.1.10") \
  -extensions v3_req

NATS Accounts and Authorization

Each zone's JetStream domain is isolated. NATS accounts are zone-scoped, not globally shared.

Account Model

Accounts in Enterprise JetStream:
  - enterprise-account (all applications in Enterprise)
  - system-account (BSFG node system calls)

Accounts in Plant A JetStream:
  - plant-a-account (all applications in Plant A)
  - system-account (BSFG node system calls)

Accounts in IDMZ JetStream:
  - idmz-account (IDMZ applications and mediated workloads)
  - system-account (BSFG node system calls)

Authorization Rules

Each account has permissions on subjects (streams) and operations (publish, subscribe):

enterprise-account:
  publish:
    subject: "facts.>" (allow publishing to all fact streams)
    allow
  subscribe:
    subject: "facts.>" (allow subscribing)
    allow

plant-a-account:
  publish:
    subject: "facts.>" (allow publishing)
    allow
  subscribe:
    subject: "facts.>" (allow subscribing)
    allow

system-account:
  publish:
    subject: "$JS.>"  (system streams for cursor, confirmations)
    allow
  subscribe:
    subject: "$JS.>"
    allow

Envelope Validation

When a fact arrives with envelope fields from_zone and to_zone, the BSFG node validates them against the authenticated peer identity (mTLS certificate CN).

Validation Logic

peer_cert = extract_peer_certificate()
peer_zone_id = peer_cert.Subject.CN

fact_envelope = extract_envelope(incoming_fact)
claimed_from_zone = fact_envelope.from_zone

if (claimed_from_zone != peer_zone_id) {
  reject(error: "from_zone does not match authenticated peer identity")
}

// Envelope is valid; proceed with AppendFact

Why Validate?

The from_zone field is declarative (claims origin). An attacker with network access could forge it. mTLS authentication binds the claim to a verified certificate, preventing spoofing.

Zone Identity in Logs and Monitoring

All audit logs should include the zone identity:

[2026-03-06T14:30:00Z] AppendFact
  from_zone: enterprise-bsfg
  authenticated_peer: enterprise-bsfg (cert CN)
  message_id: "evt-12345"
  offset: 1000
  status: success

Identity Lifecycle

Initial Setup

Define zone names in deployment configuration (e.g., Terraform, Helm values)
Generate mTLS certificates with zone identity in CN
Deploy BSFG nodes with certificates
Create NATS accounts per zone

Adding a New Zone (e.g., Plant B)

Choose zone identity: plant-b-bsfg
Generate mTLS certificate with CN=plant-b-bsfg
Deploy BSFG node in Plant B zone
Create NATS account for Plant B applications
Update firewall rules to allow Plant B ↔ IDMZ communication
Update any cross-zone routing policies or discovery

Certificate Rotation

Periodically rotate certificates (every 1–2 years or when policy changes):

Generate new certificate with the same CN (zone identity)
Install new certificate on the BSFG node
Restart BSFG node (or hot-reload if supported)
Verify connectivity with all peer zones

Multi-Instance HA (Optional)

If a zone runs multiple BSFG node instances (for HA):

All instances have the same zone identity (shared CN)
All instances use the same certificate (or different certificates with same CN)
From peer perspective, the zone is one logical entity (not multiple nodes)

Zone: Enterprise
  Instance 1 (10.0.1.10):  CN=enterprise-bsfg
  Instance 2 (10.0.1.11):  CN=enterprise-bsfg
  Instance 3 (10.0.1.12):  CN=enterprise-bsfg

Peers see one zone identity "enterprise-bsfg" (the logical zone), not three nodes.

Deployment Checklist

☐ Define zone names (deployment context)
☐ Document zone identities in deployment guide
☐ Generate mTLS certificates for each BSFG node (CN = zone identity)
☐ Install certificates on BSFG nodes
☐ Configure BSFG to validate peer certificates and extract zone identity
☐ Create NATS accounts per zone
☐ Configure NATS authorization rules
☐ Verify envelope validation (from_zone matches peer certificate)
☐ Test cross-zone RPC with authenticated identities
☐ Set up certificate renewal alerts (30 days before expiry)

← Back: Network Policy Next: Operations Runbook →