scieee Science in your language
[en] (orig)

D1.7 EMERALD Integrated solution - v1

Author: Etxaniz, Iñaki
Publisher: Zenodo
DOI: 10.5281/zenodo.17093193
Source: https://zenodo.org/records/17093193/files/EMERALD_D1.7_EMERALD-Integrated-Solution-v1_v1.0.pdf
Deli e able D1.7
EMERALD In eg a ed solu ion – 1
Edi o (s):
Iñaki E xaniz
Responsible Pa ne :
TECNALIA Resea ch & Inno a ion
S a us-Ve sion:
Final- 1.0
Da e:
30.04.2025
Type:
O he (SW)
Dis ibu ion le el (SEN, PU):
PU
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 2 o 46
www.eme ald-he.eu
P ojec Numbe :
101120688
P ojec Ti le:
EMERALD
Ti le o Deli e able:
EMERALD In eg a ed solu ion – 1
Due Da e o Deli e y o he EC
30.04.2025
Wo kpackage esponsible o he
Deli e able:
WP1 - Concep and me hodology o EMERALD
Edi o (s):
Iñaki E xaniz (TECNALIA)
Con ibu o (s):
FABA, TECNALIA, F aunho e , CNR, SCCH
Re iewe (s):
Nico Haas (F aunho e )
C is ina Ma ínez, Juncal Alonso (TECNALIA)
App o ed by:
All Pa ne s
Recommended/manda o y
eade s:
WP1, WP2, WP3, WP4, WP5
Abs ac :
Ini ial in eg a ed solu ion o he EMERALD audi sui e
Keywo d Lis :
A chi ec u e, In eg a ion, CaaS, Docke , Kube ne es,
pla o m, API, en i onmen s, de elopmen , p oduc ion
Licensing in o ma ion:
This wo k is licensed unde C ea i e Commons
A ibu ion-Sha eAlike 4.0 In e na ional (CC BY-SA 4.0
DEED h ps://c ea i ecommons.o g/licenses/by-sa/4.0/)
Disclaime
Funded by he Eu opean Union. Views and opinions
exp essed a e howe e hose o he au ho (s) only and
do no necessa ily e lec hose o he Eu opean Union.
The Eu opean Union canno be held esponsible o
hem.
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 3 o 46
www.eme ald-he.eu
Documen Desc ip ion
Ve sion
Da e
Modi ica ions In oduced
Modi ica ion Reason
Modi ied by
0.1
11.02.2025
ToC de ined
TECNALIA
0.2
25.02.2025
Fi s d a e sion
TECNALIA
0.3
15.03.2025
Upda ed Sec ions 1 and 2
TECNALIA
0.4
18.03.2025
Con ibu ions by conso ium pa ne s
o Sec ion 3
FABA, TECNALIA,
F aunho e , CNR, SCCH
0.5
03.04.2025
Conclusions and Execu i e Summa y.
Sen o QA e iew
TECNALIA
0.6
14.04.2025
Add essed ecommenda ions om QA
e iew. Sen o inal e iew.
F aunho e , TECNALIA
0.7
19.04.2025
Add essed ecommenda ions om
inal e iew
TECNALIA
1.0
30.04.2025
Final e sion submi ed o he
Eu opean Commission
TECNALIA
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 4 o 46
www.eme ald-he.eu
Table o con en s
Te ms and Abb e ia ions .............................................................................................................. 7
Execu i e Summa y ....................................................................................................................... 8
1 In oduc ion ........................................................................................................................... 9
1.1 Abou his deli e able .................................................................................................... 9
1.2 Documen s uc u e ....................................................................................................... 9
2 In eg a ion O e iew ........................................................................................................... 10
2.1 A chi ec u e O e iew ................................................................................................. 10
2.1.1 Wo k lows.......................................................................................................... 11
2.1.1 Design o he CI/CD Solu ion ............................................................................. 13
2.2 Componen s In eg a ed in he EMERALD F amewo k 1 ............................................ 13
2.3 Tes Bed En i onmen ................................................................................................. 14
2.3.1 Con aine o ches a ion .................................................................................... 16
2.3.2 S o age ............................................................................................................... 17
2.3.3 Docke egis y .................................................................................................. 17
2.3.4 Ne wo k ............................................................................................................. 18
2.3.5 Dashboa d ......................................................................................................... 18
2.3.6 Ce i ica es ......................................................................................................... 19
2.3.7 Deploymen iew ............................................................................................... 19
2.4 S eps o In eg a e a Componen ................................................................................. 20
2.5 O e all s a us o he in eg a ion .................................................................................. 21
3 In eg a ion o Componen s ................................................................................................. 25
3.1 E idence Collec o s ...................................................................................................... 25
3.1.1 AI-SEC ................................................................................................................. 25
3.1.2 AMOE ................................................................................................................. 26
3.1.3 Cloudi o -Disco e y ........................................................................................... 28
3.1.4 Codyze ............................................................................................................... 28
3.1.5 eknows-e3 ......................................................................................................... 30
3.2 E idence Assessmen and Ce i ica ion ....................................................................... 31
3.2.1 TWS .................................................................................................................... 31
3.2.2 MARI .................................................................................................................. 34
3.2.3 RCM ................................................................................................................... 34
3.2.4 O ches a o ...................................................................................................... 37
3.2.5 E idence S o e ................................................................................................... 40
3.2.6 Assessmen ........................................................................................................ 41
3.2.7 E alua ion .......................................................................................................... 42
3.3 EMERALD UI ................................................................................................................. 43
4 Conclusions .......................................................................................................................... 45
5 Re e ences ........................................................................................................................... 46
Lis o ables
TABLE 1. COMPONENTS IN THE EMERALD FRAMEWORK V1 .................................................................. 13
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 5 o 46
www.eme ald-he.eu
TABLE 2. INTEGRATION STATUS .......................................................................................................... 21
TABLE 3. POINT-TO-POINT INTEGRATION STATUS .................................................................................. 23
TABLE 4. INTEGRATION STATUS OF AI-SEC WITH OTHER EMERALD COMPONENTS .................................... 26
TABLE 5. INTEGRATION STATUS OF AMOE WITH OTHER EMERALD COMPONENTS .................................... 28
TABLE 6. INTEGRATION STATUS OF CLOUDITOR-DISCOVERY WITH OTHER EMERALD COMPONENTS ............. 28
TABLE 7. INTEGRATION STATUS OF CODYZE WITH OTHER EMERALD COMPONENTS ................................... 29
TABLE 8. INTEGRATION STATUS OF EKOWS-E3 WITH OTHER EMERALD COMPONENTS ............................... 31
TABLE 9. INTEGRATION STATUS OF TWS WITH OTHER EMERALD COMPONENTS ....................................... 33
TABLE 10. INTEGRATION STATUS OF MARI WITH OTHER EMERALD COMPONENTS ................................... 34
TABLE 11. INTEGRATION STATUS OF THE RCM WITH OTHER EMERALD COMPONENTS .............................. 37
TABLE 12. INTEGRATION STATUS OF ORCHESTRATOR WITH OTHER EMERALD COMPONENTS ...................... 40
TABLE 13. INTEGRATION STATUS OF EVIDENCE STORE WITH OTHER EMERALD COMPONENTS ..................... 41
TABLE 14. INTEGRATION STATUS OF ASSESSMENT WITH OTHER EMERALD COMPONENTS .......................... 42
TABLE 15. INTEGRATION STATUS OF EVALUATION WITH OTHER EMERALD COMPONENTS .......................... 43
TABLE 16. INTEGRATION STATUS OF EMERALD UI WITH OTHER EMERALD COMPONENTS ........................ 44
Lis o igu es
FIGURE 1. EMERALD COMPONENTS .................................................................................................. 10
FIGURE 2. PARTICIPATION OF THE COMPONENTS IN THE EMERALD BLUEPRINT FOR AUDIT PREPARATION ...... 12
FIGURE 3. MERGE REQUEST AND GENERIC CI/CD PIPELINES ................................................................... 13
FIGURE 4. INTEGRATION AND PRODUCTION ENVIRONMENTS IN THE EMERALD CAAS FRAMEWORK ............. 14
FIGURE 5. URL NAMING CONVENTION FOR INTEGRATION/PRODUCTION ENVIRONMENTS ............................ 15
FIGURE 6. KUBERNETES CLUSTER INSTALLATION WITH RKE2 ................................................................... 16
FIGURE 7. LONGHORN DASHBOARD IN RANCHER................................................................................... 17
FIGURE 8. EMERALD DOCKER REGISTRY ............................................................................................. 18
FIGURE 9. RANCHER DASHBOARD....................................................................................................... 19
FIGURE 10. DEPLOYMENT DIAGRAM ................................................................................................... 20
FIGURE 11. COMPONENT INTEGRATION MAIN STEPS.............................................................................. 21
FIGURE 12. EVIDENCE COLLECTORS IN THE EMERALD ARCHITECTURE ..................................................... 25
FIGURE 13. ASSESSMENT TOOLS IN THE EMERALD ARCHITECTURE ......................................................... 31
FIGURE 14. EMERALD UI IN THE ARCHITECTURE ................................................................................. 43
Lis o lis ings
LISTING 1. AMOE API OVERVIEW ...................................................................................................... 27
LISTING 2. TWS API ENDPOINTS FOR ACCOUNT MANAGEMENT ............................................................. 32
LISTING 3. TWS API ENDPOINTS FOR USERS MANAGEMENT .................................................................. 32
LISTING 4. TWS API ENDPOINTS FOR INFORMATION REGISTRATION ........................................................ 33
LISTING 5. TWS API ENDPOINTS FOR INFORMATION ACCESS .................................................................. 33
LISTING 6. TWS API ENDPOINTS FOR INTEGRITY VERIFICATION ............................................................... 33
LISTING 7. MARI API ENDPOINTS FOR MAPPING .................................................................................. 34
LISTING 8. RCM API ENDPOINTS FOR SCHEMA INFORMATION ................................................................ 35
LISTING 9. RCM API ENDPOINTS FOR CONTROL INFORMATION ............................................................... 36
LISTING 10. RCM API ENDPOINTS FOR METRIC INFORMATION ............................................................... 36
LISTING 11. RCM API ENDPOINTS FOR SIMILAR CONTROL RESOURCE ....................................................... 36
LISTING 12. RCM API ENDPOINTS FOR QUESTIONNAIRE RESOURCES ....................................................... 37
LISTING 13. ORCHESTRATOR API ENDPOINTS FOR ASSESSMENT RESULTS ................................................... 38
LISTING 14. ORCHESTRATOR API ENDPOINTS FOR METRICS .................................................................... 38
LISTING 15. ORCHESTRATOR API ENDPOINTS FOR TARGETS OF EVALUATION .............................................. 39

D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 6 o 46
www.eme ald-he.eu
LISTING 16. ORCHESTRATOR API ENDPOINTS FOR HANDLING CERTIFICATES .............................................. 39
LISTING 17. ORCHESTRATOR API ENDPOINTS FOR CERTIFICATES (PUBLICLY AVAILABLE) ............................... 39
LISTING 18. ORCHESTRATOR API ENDPOINTS FOR CATALOGUES .............................................................. 40
LISTING 19. ORCHESTRATOR API ENDPOINTS FOR AUDIT SCOPES ............................................................. 40
LISTING 20. EVIDENCE STORE API ENDPOINTS ...................................................................................... 41
LISTING 21. ASSESSMENT API ENDPOINT FOR EVIDENCE ......................................................................... 42
LISTING 22. EVALUATION API ENDPOINTS............................................................................................ 42
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 7 o 46
www.eme ald-he.eu
Te ms and Abb e ia ions
AI
A i icial In elligence
AI-SEC
AI Secu i y E idence Collec o
AIC4
AI Cloud Se ice Compliance C i e ia Ca alogue
AMOE
Assessmen and Managemen o O ganiza ional E idence
API
Applica ion P og amming In e ace
AWS
Amazon Web Se ices
BSI
Bundesam ü Siche hei in de In o ma ions echnik
CaaS
Compliance-as-a-Se ice1
CI/CD
Con inuous In eg a ion / Con inuous Deli e y
CLI
Command Line In e ace
CM
Compliance Manage
CSP
Cloud Se ice P o ide
EC
Eu opean Commission
EUCS
Eu opean Cybe secu i y Ce i ica ion Scheme o Cloud Se ices
GA
G an Ag eemen o he p ojec
GB
GigaBy e
gRPC
Google Remo e P ocedu e Call
HTTP
Hype ex T ans e P o ocol
HTTPS
Hype ex T ans e P o ocol Secu e
IAM
Iden i y and Access Managemen
IaC
In as uc u e as Code
IP
In e ne P o ocol
JSON
Ja aSc ip Objec No a ion
KR
Key Resul
MARI
Mapping Assis an o Regula ions wi h In elligence
ML
Machine Lea ning
MS
Miles one
NLP
Na u al Language P ocessing
OSCAL
Open Secu i y Con ols Assessmen Language
OS
Ope a ing Sys em
RAM
Random Access Memo y
RBAC
Role-Based Access Con ol
RCM
Reposi o y o Con ols and Me ics
REST
Rep esen a ional S a e T ans e
RKE
Ranche Kube ne es Engine
SSL
Secu e Socke s Laye
TWS
T us wo hiness Sys em
UI/UX
Use In e ace / Use Expe ience
URL
Uni o m Resou ce Loca o
VCS
Ve sion Con ol Sys em
VM
Vi ual Machine
WP
Wo k Package
1
Please no e ha in p e ious deli e ables and in he DoA, he e m Ce i ica ion-as-a-Se ice was used o
s and o CaaS. Compliance has now been in oduced o cla i y ha EMERALD can be used o assess bo h
no ma i e models and in e nal o ganiza ional models.
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 8 o 46
www.eme ald-he.eu
Execu i e Summa y
The deli e able D1.7 p esen s he ini ial in eg a ed solu ion o he EMERALD amewo k, which
includes he in eg a ion o he componen s de eloped in he p ojec 's echnical wo k packages.
This documen accompanies he so wa e deli e able and p o ides an o e iew o he
in eg a ion app oach, he s a us o he in eg a ion, and he componen s in ol ed.
This deli e able is ela ed o Wo k Package 1 (WP1), which ocuses on he p ojec 's concep and
me hodology. The in eg a ed solu ion is a c ucial pa o he p ojec as i enables collabo a ion
and communica ion be ween he di e en componen s de eloped in o he wo k packages.
The in eg a ion app oach is desc ibed i s . The in eg a ion o he componen s is based on wo
main pipelines ha au oma e i : he i s one builds he p ojec , c ea ing he Docke images and
pushing hem o he A i ac o y. The second one deploys he componen s o he es bed
en i onmen and e i ies i . The es bed is composed by wo en i onmen s: in eg a ion and
p oduc ion and is based on OpenS ack Vi ual Machines. A h ee-node Kube ne es clus e is
moun ed on op o hem.
An eigh -s ep p ocedu e is de ined o he in eg a ion o a componen in he EMERALD
amewo k. The s a us o he in eg a ion o each componen is p o ided, including he APIs
published, and he in e connec ion wi h he es o componen s.
The main esul s o his deli e able include he de elopmen o an ini ial p o o ype o he
EMERALD amewo k; he implemen a ion o an in eg a ion s a egy ha allows collabo a ion
be ween componen s; he deploymen o componen s in he in eg a ion and p oduc ion
en i onmen s; and he documen a ion o he in eg a ion s a us o each componen , p o iding
a basis o u u e imp o emen s and de elopmen s.
Fu u e ela ed wo k in he p ojec will ocus on he con inuous in eg a ion o he EMERALD
amewo k, including new eleases wi h mo e unc ionali ies and eedback om he use s o he
i s e sion o he amewo k. This wo k will be e lec ed in a second e sion o he deli e able,
D1.8, scheduled o mon h 30 o he p ojec , which will include he upda ed s a us o he
in eg a ion o he EMERALD componen s.
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 9 o 46
www.eme ald-he.eu
1 In oduc ion
1.1 Abou his deli e able
This is he companion documen o he so wa e deli e able D1.7, which aims o ha e an ini ial
p o o ype o he EMERALD Compliance-as-a-Se ice
2
(CaaS) F amewo k ha in eg a es he
componen s de eloped by he o he echnical wo k packages. This i s e sion o he in eg a ed
solu ion co esponds o he Miles one MS3 – In eg a ed Audi Sui e 1 and is mainly based on
he e sion 1 o he EMERALD componen s (M12), al hough some addi ional de elopmen
made un il M15 has also been included in some cases. All he e e ed so wa e is a ailable in
he p ojec ’s public Gi lab (h ps://gi .code. ecnalia.de /eme ald/public).
The documen includes i s an o e iew o he in eg a ion app oach, o p o ide he eade an
o e iew o wha componen s a e in eg a ed, whe e and how, and he s a us o he o e all
in eg a ion ask. I also desc ibes he ha dwa e equipmen used o se up he es bed
3
, he
esou ces needed o he ins alla ion, and he con igu a ion. The me hodology h ough which a
componen is in eg a ed in he amewo k is in oduced as well. The documen also includes he
desc ip ion o he main wo k low in se e al scena ios and b ie ly desc ibes he CI/CD solu ion
ha has been implemen ed o suppo he de elopmen and in eg a ion ac i i ies o he
EMERALD amewo k. Finally, he documen p o ides a de ailed o e iew o he cu en s a us
o he in eg a ion o all componen s o he EMERALD amewo k.
A second e sion o he deli e able is planned o mon h 30 o he p ojec . This second e sion
will inco po a e ad ancemen s and imp o emen s made in he ime be ween he wo eleases.
I is expec ed ha some o he imp o emen s will come om use eedback, es ing, and
discussions on he cu en e sion.
1.2 Documen s uc u e
The emainde o he documen is o ganized as ollows:
Sec ion 2 p esen s a gene al desc ip ion o he in eg a ion s a egy and ools. I gi es an
o e iew o he EMERALD CaaS amewo k, he esou ces used o he es bed en i onmen s,
he in eg a ion s eps o each componen , and he CI/CD implemen a ion suppo ing he
in eg a ion o he EMERALD amewo k. An o e all in eg a ion s a us is also p o ided.
Sec ion 3 p o ides in mo e de ail he in eg a ion s a us o each EMERALD componen , in e ms
o he connec ion wi h o he componen s.
Sec ion 4 p esen s he conclusions, including a summa y o he main ou comes o he
deli e able.
2
Please no e ha in p e ious deli e ables and in he DoA, he e m Ce i ica ion-as-a-Se ice was used o
s and o CaaS. Compliance has now been in oduced o cla i y ha EMERALD can be used o assess bo h
no ma i e models and in e nal o ganiza ional models.
3
A “Tes Bed” e e s o he se up whe e he es ing ac i i ies ake place. I includes he combina ion o
ha dwa e, so wa e, ne wo k con igu a ions, and o he necessa y componen s ha p o ide he
in as uc u e which aims o simula e he eal-wo ld condi ions unde which he so wa e will ope a e.
(see mo e a h ps:// es ing undamen al.com/ es -bed)
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 16 o 46
www.eme ald-he.eu
We ha e ollowed an In as uc u e as Code (IaC) app oach o he deploymen . Fo he c ea ion
and con igu a ion o he clus e we ha e used OpenTo u
13
and Ansible
14
echnologies. OpenTo u
is used o c ea e he nodes, ne wo ks, ne wo k in e aces, and secu i y g oups among o he
in as uc u al elemen s. Ansible is used o con igu e he nodes wi h he so wa e packages
equi ed o implemen he Kube ne es clus e . The IaC iles a e also unde a con igu a ion
managemen p ocess, in he Gi lab eposi o y o he p ojec . The usage o IaC p o ides se e al
ad an ages o he p ojec managemen :
• Allows he edeploymen o he clus e om sc a ch, i we need o mig a e.
• Simpli ies he ho izon al scala ion o he Kube ne es , i mo e capaci y is equi ed.
• Reusable by pilo s, in case hey ha e simila in as uc u e.
2.3.1 Con aine o ches a ion
The EMERALD amewo k unc ionali ies a e made up by he collabo a ion o mic o-se ices,
which communica e each o he h ough APIs, a e packaged in docke images and un in
con aine s. Kube ne es o ches a es all hese con aine s in a i ual en i onmen unning in a
highly a ailable clus e .
We also use an IaC app oach based on Kus omize
15
o desc ibe he deploymen and
collabo a ion o all componen s o he EMERALD p ojec . The con aine o ches a ion is s o ed
in a sepa a e Gi lab eposi o y o he p ojec named “CaaS F amewo k”. The eposi o y con ains
a olde wi h he de ails o he deploymen o he indi idual componen s (called componen s),
and o he olde s ha desc ibe he en i onmen s: in eg a ion and p oduc ion.
Figu e 6. Kube ne es clus e ins alla ion wi h RKE2
13
h ps://open o u.o g
14
h ps://www.ansible.com
15
Kus omize a e ses a Kube ne es mani es o add, emo e o upda e con igu a ion op ions wi hou
o king. Mo e in o ma ion is a ailable a h ps://kus omize.io/

D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 17 o 46
www.eme ald-he.eu
2.3.2 S o age
The mic o-se ices can s o e hei da a in an easy and secu e way hanks o he con igu a ion o
a dis ibu ed ilesys em p o ided by Longho n
16
. Indeed, each node o he clus e p o ides 200
GB o s o age, managed by Longho n and is exposed as a single, uni ied clus e ilesys em. Thus,
he da a is eplica ed ac oss he h ee nodes, and a o al o 989 GB aul - ole an and high
a ailabili y o s o age a e assu ed, as shown in Figu e 7.
Figu e 7. Longho n dashboa d in Ranche
2.3.3 Docke egis y
The mic o-se ices unning on he Kube ne es clus e a e packaged in Docke images and s o ed
in a p i a e Docke Regis y unning in he TECNALIA in as uc u e’s A i ac o y
17
. To access he
Docke Regis y, a Kube ne es sec e has been c ea ed wi h he c eden ials. This allows
Kube ne es o pull he mic o-se ice images and hen un hem on he clus e .
The images a e pushed o he Docke egis y by he Gi Lab CI/CD pipelines in he ollowing URL
acco ding o he s uc u e ag eed o he p ojec , as shown in Figu e 8.
a i ac . ecnalia.de /ui/na i e/eme ald-docke -de -local/<componen >/
16
Longho n is an open-sou ce, cloud-na i e dis ibu ed s o age solu ion o deli e ing block s o age
pe sis en wi h low equi emen s and o e head. Fo mo e de ails see h ps:// ook.io/docs/ ook/ 1.8/
17
h ps://j og.com/a i ac o y/
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 18 o 46
www.eme ald-he.eu
Figu e 8. EMERALD Docke egis y
2.3.4 Ne wo k
On he Kube ne es clus e , a nginx
18
se ice is con igu ed as a p oxy o edi ec all he eques s
o he co ec mic o-se ice componen . The binding be ween he nginx se ice and he public
IP is se up wi h KubeVip
19
, a ne wo k load-balance ha associa es he public IP o he nginx
se ice and uses s anda d ou ing p o ocols o make a ailable (pa o ) he ne wo k behind he
Kube ne es clus e . I is essen ial o he EMERALD clus e because, unlike a public cloud
p o ide clus e , nginx has no load balance , and Kube ne es does no p o ide i by i sel .
2.3.5 Dashboa d
We ha e wo accoun s in Kube ne es, wi h di e en pe missions: one ha has access o all
clus e esou ces and o he adminis a ion op ions (“admin”), and one ha has he pe missions
es ic ed o he in eg a ion and p oduc ion namespaces (“eme ald_de elope ”).
Ranche p o ides a web-based dashboa d o he Kube ne es clus e (see Figu e 9). I is help ul
o deploy con aine ised applica ions o a Kube ne es clus e , oubleshoo hem, and manage
clus e esou ces.
18
h ps://www.nginx.com/
19
h ps://kube- ip.io/
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 19 o 46
www.eme ald-he.eu
Figu e 9. Ranche Dashboa d
2.3.6 Ce i ica es
Access o he Dashboa d is secu e ia HTTPS. The ce i ica es a e ins alled using Ce -Manage
20
.
Ce -Manage au oma es he p o isioning o ce i ica es and p o ides a se o cus om esou ces
o issue ce i ica es and a ach hem o se ices. EMERALD secu es web apps and APIs wi h SSL
ce i ica es om Le ’s Enc yp
21
. We ins alled Ce -Manage using he mani es ile, c ea ed an
issue ha uses he Le ’s Enc yp API o he Dashboa d domain and exposed i o e HTTPS. The
Dashboa d is exposed o e HTTPS a he add ess:
h ps://k8so.eme ald.digi al. ecnalia.de /dashboa d/.
2.3.7 Deploymen iew
The EMERALD CaaS F amewo k is deployed on he Kube ne es clus e . As we explained in
Sec ion 2.3, he clus e is cu en ly composed o h ee nodes. Figu e 10 shows a deploymen
diag am o he solu ion, showing all componen s deployed (in blue). Each componen is
composed by one o mo e con aine s, ep esen ed by a i ac s (whi e boxes).
20
h ps://ce -manage .io/docs/
21
h ps://le senc yp .o g/
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 20 o 46
www.eme ald-he.eu
Figu e 10. Deploymen diag am
Figu e 10 ep esen s he deploymen a a gi en ime. The dis ibu ion o he a i ac s among he
nodes is managed by Kube ne es, and i is possible ha a single componen has i s a i ac s
dis ibu ed on di e en nodes (e.g., AMOE o RCM). This dis ibu ion is au oma ically modi ied
by Kube ne es a ending o i s own pe o mance and esou ces managemen c i e ia.
The Codyze, eknows-e3 and AI-SEC componen s a e no p esen in Figu e 10, as hey a e
e idence ex ac o s ha a e in ended o un in a sepa a e en i onmen , alongside a Gi Lab
unne ha gi es hem access o he iles o be analysed.
2.4 S eps o In eg a e a Componen
Once he Tes Bed en i onmen has been ins alled and p ope ly con igu ed, he nex s ep is he
deploymen o all componen s in he clus e .
To be e o ganize he in eg a ion, we ha e adop ed he ollowing me hodology, which p esen s
he ac ions o be aken un il he comple e elease o he EMERALD F amewo k. Figu e 11 shows
he main s eps in he in eg a ion and deploymen o a componen
22
:
1. The sou ce code o each componen mus be uploaded o he p i a e Gi Lab eposi o y.
2. Once inalised and es ed, each componen mus be con aine ised in o a Docke image,
so i mus p o ide docke ile(s) in he Gi Lab eposi o y, which help au oma e he
building o he images a e any changes in he code.
3. The Docke image mus be made a ailable on he p i a e docke egis y A i ac o y.
4. The con igu a ion and side se ices o each componen should be speci ied in he CaaS
F amewo k eposi o y.
5. The con igu a ion mus be manually es ed o pe o m s andalone, poin - o-poin , and
wo k low es s, o e i y ha each componen is deployed co ec ly, communica es wi h
i s pee s, and he wo k lows (desc ibed in sec ion 2.1.1) a e co ec ly implemen ed.
6. I he es s a e passed, he elease can be me ged wi h he in eg a ion en i onmen .
7. Au oma ed in eg a ion es s a e pe o med in he in eg a ion en i onmen .
8. I he es s a e passed, he e sion is p omo ed o he p oduc ion en i onmen and a
new elease is c ea ed.
22
The in eg a ion o non-open sou ce componen skips s eps 1 and 2.
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 21 o 46
www.eme ald-he.eu
Figu e 11. Componen in eg a ion main s eps
The in eg a ion plan includes h ee phases ha will be comple ed in mon hs M18, M30, and
M34, espec i ely. Cu en ly, we ha e pe o med he i s ound, whe e he in eg a ion o
componen s has been ca ied ou manually by each pa ne .
Du ing his i s ound, WP1 deli e ed a wo kshop o he es o he conso ium o in oduce he
main concep s o Docke and Kube ne es and explained he in eg a ion s eps. All componen s
we e de eloped concu en ly, and hei code his o y was acked using he Gi Lab e sion
con ol sys em. Besides, a seman ic elease numbe ing was implemen ed o ack he p og ess
o he p ojec . All componen s a e con aine ised and ha e been deployed on he p ojec -in e nal
in eg a ion se e . Docke ile ecipes a e a ailable o easy ec ea e he in eg a ion en i onmen .
All REST API endpoin s a e exposed on a common ne wo k o enable communica ion be ween
componen s. The EMERALD F amewo k is ins alled en i ely using Kube ne es mani es s.
In phases 2 and 3 we expec o ha e he deploymen ully au oma ed, go e ned by he CI/CD
pipelines. We will also se -up he p oduc ion en i onmen , wi h a s able e sion always a ailable
in i . And inally, he ins alla ion will be implemen ed in he pilo s.
2.5 O e all s a us o he in eg a ion
This sec ion p o ides an o e iew o he in eg a ion s a us o he componen s in he EMERALD
amewo k. Table 2 shows he s eps o be ca ied ou o he in eg a ion o each componen , as
well as hei deg ee o comple ion. Sec ion 3 p o ides mo e de ails on he le el o in eg a ion o
each componen .
Table 2. In eg a ion s a us
Componen License
Gi lab
Repo
Public
Repo
README
Docke
Images
OpenAPI
spec
K8s ile
Deploy
pipeline
Deployed
(in eg .)
In eg a ion
URL
AMOE
√ (Apache) √ √ √ √ √ √ √ √ URL
MARI
√ (Apache) √ √ √ √ √ √ √ √ URL
RCM
√ (Apache) √ √ √ √ √ √ √ √ URL
TWS * √ (P opie a y) N/A N/A √ √ √ √ √ √ URL
Assessmen
√ (Apache) √ √ √ √ √ √ √ √ URL
Cloudi o -Disco e y
√ (Apache) √ √ √ √ N/A √√√URL
E alua ion
√ (Apache) √ √ √ √ √ √ √ √ URL
E idence S o e
√ (Apache) √ √ √ √ √ √ √ √ URL
O ches a o
√ (Apache) √ √ √ √ √ √ √ √ URL
Codyze
√ (Apache) √ √ √ X√ (CLI) N/A X X N/A
eKnows-e3 *
√ (Apache, o he s) √ √ & N/A √ √ √ (CLI) N/A X X N/A
AI-SEC
√ (Apache) √ √ √ X X N/A X X N/A
Eme ald UI
√ (Apache) √ √ √ √ √ √ √ √ URL

D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 22 o 46
www.eme ald-he.eu
The s a ing poin o he in eg a ion p ocess is he sou ce code o he componen s, which has
been uploaded o he public Gi Lab eposi o y
23
(excep o wo o hem -TWS and eknows-e3–
which a e no open sou ce licensed). The eposi o y o each componen con ains a docke ile.
The espec i e images c ea ed ha e been uploaded o he Docke eposi o y in A i ac o y.
The nex s ep is o deploy he images on he Kube ne es clus e . Fo his, se e al mani es iles
ha e been de eloped o each componen , depending on hei na u e (pods, se ices, olumes,
e c.). In he ea ly s ages o he de elopmen , he in eg a ion p ocess allowed a manual
deploymen using kus omize and kubec l
24
. This allows o he iden i ica ion o
bugs/adjus men s in an agile way, wi hou wai ing o an au oma ed deploymen p ocess o be
comple ed. This p ocess has been u he au oma ed h ough he Gi Lab CI pipelines, which a e
de ailed in D1.6 [4].
The las column o Table 2 indica es i he componen is a ailable in he in eg a ion en i onmen .
All o hem a e deployed, excep ing hose ha a e no o be in eg a ed in he CaaS F amewo k
bu in he pipeline o analyse iles (i.e., Codyze, eknows-e3, and AI-SEC).
The inal and undamen al pa o he in eg a ion has o do wi h he communica ion among
componen s, which is done h ough he APIs de ined and de eloped in EMERALD. Besides he
de ails p o ided in he hi d sec ion o each componen , Table 3 p esen s a consolida ed iew
o he cu en s a us o he in e ac ion o each componen wi h he o he s. The s a us has been
ca ego ized in o se e al s ages
25
, e lec ing he p og ess made in in eg a ing he componen in o
he EMERALD F amewo k:
• No S a ed: The in eg a ion p ocess has no ye begun.
• De eloping API: The componen is cu en ly in he p ocess o de eloping i s API. This
s age in ol es de ining how he componen will in e ac and i s implemen a ion.
• API Finished: The API de elopmen has been comple ed and is eady o es ing.
• Tes ed Locally: The componen has unde gone local es ing, e i ying i s unc ionali y in
isola ion. While i wo ks as in ended on i s own, i has no ye been es ed in conjunc ion
wi h o he componen s.
• Connec ed: The componen has success ully es ablished connec ions wi h o he
componen s. Da a exchange can occu , bu u he es ing is needed o ensu e ull
compa ibili y.
• Tes ing: The in eg a ion o he componen wi h o he s is cu en ly being es ed. This
phase in ol es checking he da a low be ween he componen s o iden i y and ix any
issues ha may a ise.
• In eg a ed: The componen has been ully in eg a ed in o he amewo k. I has passed
he necessa y es s and is unc ioning as in ended, in e ac ing seamlessly wi h o he
componen s in he EMERALD sys em.
Please no e ha in Table 3, he column “Componen A” e e s o he componen ha
implemen s he API and “Componen B” is he componen ha in okes i .
23
h ps://gi .code. ecnalia.de /eme ald/public
24
A command line ool o communica ing wi h a Kube ne es clus e 's con ol plane, using he Kube ne es
API. See h ps://kube ne es.io/docs/ e e ence/kubec l/ o de ails.
25
This ca ego iza ion was i s used in deli e able D3.5 [16]
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 23 o 46
www.eme ald-he.eu
Table 3. Poin - o-poin in eg a ion s a us
Componen A
Componen B
S a us
Commen
AI-SEC
EMERALD UI
No s a ed
AI-SEC is cu en ly in he ool es ing
phase and has no ye s a ed i s
in eg a ion
AMOE
E idence S o e
Tes ing
Wai ing o On ology and ull
in eg a ion o new me ics based on
upda ed da a model
AMOE
RCM
Tes ed locally /
Connec ed
Tes ed wi h ini ial API. Wai ing o
adjus men o new me ic da a model
and inclusion o ex ended se o
me ics
AMOE
O ches a o
No s a ed
Wai ing o upda es o he
O ches a o API
AMOE
EMERALD UI
Tes ing,
Connec ed
Collec ed iles and ex ac ed esul s.
Full implemen a ion emains o be
es ed. Also, ex ensi e es ing in
EMERALD in eg a ion se up emains
o be done. The Keycloak
con igu a ion needs o be upda ed o
a s able deploymen and es se up.
Cloudi o -Disco e y
E idence S o e
Connec ed
Tes ing pending
Codyze
[CI/CD] *
Tes ed locally
Codyze is in eg a ed as a CI/CD
componen . Cu en ly, a p oo -o -
concep in eg a ion o Codyze-
P o enance exis s o Gi Lab. Fo
Codyze-Compliance, a simila
in eg a ion is planned.
Codyze
E idence S o e
Tes ed locally
We can send pieces o e idence.
Howe e , hey a e no ully illed.
Codyze
TWS
No s a ed
Cu en ly pos poned in a ou o he
in eg a ion wi h E idence S o e and
awai ing inal API speci ica ion o
TWS.
eknows-e3
[CI/CD] *
Tes ed locally
The CI/CD componen uses eknows-e3
o ex ac and sa e e idence in he
E idence S o e. A demo showcases
how he eknows-e3 componen can
be in eg a ed. In eg a ion es s a e
cu en ly being de eloped.
eknows-e3
E idence S o e
Tes ing
Communica ion is implemen ed,
in eg a ion es s a e in de elopmen .
TWS
EMERALD UI
De eloping API
Cu en ly upda ing he API de ails due
o he mig a ion p ocess.
TWS
E idence S o e
De eloping API
Cu en ly upda ing he API de ails due
o he mig a ion p ocess.
TWS
E idence collec o s
De eloping API
Cu en ly upda ing he API de ails due
o he mig a ion p ocess.
MARI
RCM
De eloping API
New API de ined .
RCM
EMERALD UI
De eloping API
Upda ing / ex ending he API.
RCM
Cloudi o -
O ches a o
De eloping API
Changes a e needed due o da a
model upda es.
RCM
MARI
De eloping API
New mapping API al eady de ined.
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 24 o 46
www.eme ald-he.eu
Componen A
Componen B
S a us
Commen
RCM
AMOE
Connec ed
Changes a e needed due o da a
model upda es.
O ches a o
Assessmen
API Finished
-
O ches a o
EMERALD UI
API inished
Requi es coo dina ion wi h WP4 and
es ing.
O ches a o
RCM
De eloping API
-
O ches a o
Assessmen
Connec ed
Tes ing pending.
O ches a o
E alua ion
Connec ed
Tes ing pending.
E idence S o e
Assessmen
Connec ed
Tes ing pending.
E idence S o e
O ches a o
Connec ed
Tes ing pending.
E idence S o e
AMOE
Tes ing
-
E idence S o e
Codyze
Tes ed locally
-
E idence S o e
eknows-e3
Tes ing
-
E idence S o e
AI-SEC
Tes ing
-
E idence S o e
Cloudi o -Disco e y
Connec ed
Tes ing pending.
Assessmen
E idence S o e
Connec ed
Tes ing pending.
Assessmen
O ches a o
Connec ed
Tes ing pending.
Assessmen
TWS
De eloping API
To be es ed.
E alua ion
O ches a o
Connec ed
Tes ing pending.
EMERALD UI
AMOE
Connec ed
Tes ing emains o be done. Only a
subse o he endpoin s has been ully
in eg a ed ye .
EMERALD UI
O ches a o
De eloping API
Wai ing o O ches a o esul s.
EMERALD UI
RCM
Tes ed locally
Wai ing o upda es o he API.
EMERALD UI
TWS
No s a ed
Discussion o endpoin s and
in eg a ion needed.
The in o ma ion e lec ed in Table 3 can be aken as a basis o a consolida ed s a us o he
poin - o-poin in eg a ion. I “No s a ed” is conside ed as 0% p og ess, and “In eg a ed” is
conside ed as 100% p og ess (wi h “Tes ed locally” being 50%), an app oxima ion o he global
alue can be calcula ed, esul ing in 40% a he end o his poin - o-poin in eg a ion a M18.
The majo i y o he 38 elemen s in he able a e in he “Connec ed” s a us (13), ollowed by he
“De eloping API” s a us (11).
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 25 o 46
www.eme ald-he.eu
3 In eg a ion o Componen s
This sec ion p o ides mo e de ails on he in eg a ion s a us o each EMERALD componen . The
componen s a e g ouped in o h ee g oups: (i) E idence Collec o s; (ii) E idence Assessmen and
Ce i ica ion; and (iii) Use In e ace.
Each componen is in oduced by a sho desc ip ion, ollowed by he expec ed beha iou
conce ning inpu s and ou pu s. Nex , he APIs published by he componen , o he Command
Line In e aces (CLI), i applicable, a e lis ed. Finally, a s a us o he in eg a ion wi h o he
componen s is p o ided.
3.1 E idence Collec o s
E idence collec o s –highligh ed in he Figu e 12 below– a e he componen s in cha ge o
collec ing di e en o ms o da a om he a ge s o e alua ion and p o iding hem as e idence
ha is hen p ocessed in he EMERALD amewo k o decide on compliance.
Figu e 12. E idence collec o s in he EMERALD a chi ec u e
3.1.1 AI-SEC
AI-SEC is an e idence collec o designed o ex ac ele an in o ma ion om machine lea ning
models. Based on he C i e ia Ca alogue o AI Cloud Se ices (AIC4) [11], AI-SEC ex ac s a ious
cha ac e is ics o machine lea ning models, e.g. obus ness, p i acy le els and explainabili y. AI-
SEC es ablishes a p ocess ha con ains me hods o ex ac ing hese ea u es. These me hods
a e ypically applicable o bo h image and language models.
3.1.1.1 Expec ed beha iou (inpu s/ou pu s)
The expec ed inpu should be he machine lea ning model and i s (pa ial) aining da a, while
he ou pu will be he compu ed e idence.
AI-SEC is connec ed o he EMERALD UI and he E idence S o e:
• EMERALD UI: I connec s o AI-SEC o uploading, downloading, iewing, and dele ing
policy documen s. AI-SEC will be con olled by he use ia he EMERALD UI, which
connec s o he API.
• E idence S o e: E idence will be o wa ded o he E idence S o e.
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 32 o 46
www.eme ald-he.eu
• Assessmen : The in e ac ion wi h his componen occu s in wo ways:
o The Assessmen componen p o ides in o ma ion (p oo s o in eg i y) ela ed
o e idence and assessmen esul s o be eco ded on he Blockchain.
o The au oma ic e i ica ion se ice eques s he cu en alues o e idence and
assessmen esul s s o ed in EMERALD’s in e nal e idence s o age o alida e
hei in eg i y agains he in o ma ion p e iously eco ded on he Blockchain.
• E idence collec o s: P oo s o in eg i y o e idence can be di ec ly p o ided om he
e idence collec o s. In pa icula , Codyze will be conside ed as a p oo o concep .
• EMERALD UI: The g aphical in e ace o he TWS au oma ic e i ica ion se ice is
in eg a ed in o he EMERALD UI, allowing audi o s o easily e i y he us wo hiness
o e idence and assessmen esul s, and de e mine hei eliabili y.
3.2.1.2 Published APIs
The API endpoin s o he TWS a e lis ed below.
Lis ing 2. TWS API Endpoin s o Accoun Managemen
Lis ing 3. TWS API Endpoin s o Use s Managemen

D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 33 o 46
www.eme ald-he.eu
Lis ing 4. TWS API Endpoin s o In o ma ion Regis a ion
Lis ing 5. TWS API Endpoin s o In o ma ion Access
Lis ing 6. TWS API Endpoin s o In eg i y Ve i ica ion
3.2.1.3 In eg a ion S a us
Cu en ly, he TWS has been success ully deployed on he Kube ne es clus e . Howe e , i has
been ecen ly mig a ed om Quo um o he Alas ia Blockchain ne wo k. This mig a ion has
sligh ly delayed he in eg a ion p ocess wi h o he EMERALD componen s. Table 9 p o ides he
cu en s a e o he connec ions o he TWS wi h o he componen s.
Table 9. In eg a ion s a us o TWS wi h o he EMERALD componen s
Componen
S a us
Commen
EMERALD UI
De eloping API
Cu en ly upda ing he API de ails due o he
mig a ion p ocess.
E idence S o e
De eloping API
E idence collec o s
(Codyze)
De eloping API
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 34 o 46
www.eme ald-he.eu
3.2.2 MARI
The Mapping Assis an o Regula ions wi h In elligence (MARI) is an in elligen sys em o
compliance managemen . As desc ibed in D3.3 [9], i s main unc ionali y is o au oma ically
associa e ele an me ics wi h con ols and acili a e he mapping o con ols ac oss mul iple
ce i ica ion schemes. This au oma ion signi ican ly educes manual e o and imp o es
pe o mance in compliance managemen p ocesses. The MARI is buil as an NLP-based ool,
le e aging a sen ence ans o me model o gene a e ec o embeddings ha cap u e he
seman ic meaning o con ols and me ics. The associa ions be ween con ols and me ics, as
well as be ween con ols ac oss di e en ce i ica ion schemes, a e hen pe o med by
measu ing he simila i y be ween hese embeddings in he ec o space.
3.2.2.1 Expec ed beha iou (inpu s/ou pu s)
The MARI exchanges in o ma ion exclusi ely wi h he RCM.
• RCM: I sends he mapping eques s o he MARI, including in o ma ion abou he
ce i ica ion schemes and he me ics. Once he MARI pe o ms he mappings, he
esul s a e sen back o he RCM, which ecei es and s o es hem o u he use.
3.2.2.2 Published APIs
The MARI p o ides wo endpoin s o mapping con ols and me ics: he mapCon ols endpoin
ha maps con ols om a schema o ano he by e alua ing a simila i y h eshold, ac i ely
ma ching con ols ha mee he equi ed s anda d; and he mapMe ics2Con ols endpoin ha
links me ics o he co esponding con ols based on he same simila i y p inciple.
Lis ing 7. MARI API Endpoin s o mapping
3.2.2.3 In eg a ion S a us
The MARI has al eady been deployed on he Kube ne es clus e . MARI in e ac s exclusi ely wi h
he RCM h ough a p ede ined API. Table 10 p o ides he cu en s a e o connec ions o he
MARI wi h he RCM.
Table 10. In eg a ion s a us o MARI wi h o he EMERALD componen s
Componen
S a us
Commen
RCM
De eloping API
New API de ined
3.2.3 RCM
The Reposi o y o Con ol and Me ics (RCM) is a sma ca alogue o con ols and me ics. As
desc ibed in D3.3 [9], he RCM suppo s mul i-scheme and mul i-le el compliance and
inco po a es he de ini ion o he me ics used in EMERALD o ob ain and assess e idence.
The RCM also p o ides mechanisms o upda e he ca alogues and allow OSCAL-based [13]
impo /expo o acili a e he euse and composi ion o he ca alogue elemen s; s o es he
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 35 o 46
www.eme ald-he.eu
mapping o con ols and me ics p o ided by he MARI componen ; and includes a sel -
assessmen ques ionnai e o assess EUCS [14] compliance.
3.2.3.1 Expec ed beha iou (inpu s/ou pu s)
The RCM sends and ecei es in o ma ion om di e en sou ces.
• Cloudi o -O ches a o : I e ie es in o ma ion abou schemes and me ics om he
RCM, which is hen used o con igu e ex ac o s and o ganize e idence.
• MARI: I ecei es he mapping eques s, which include in o ma ion abou schemes and
me ics, om he RCM. The esponses (mappings) a e hen sen back o he RCM, which
s o es hem o u he use.
• EMERALD UI: When he use na iga es h ough he con en o he eposi o y, he
EMERALD UI calls he RCM API. The in o ma ion equi ed is packed in JSON o ma in
he REST call and sen o he EMERALD UI o displaying. The same happens, when he
use c ea es new secu i y schemes o ill in he sel -assessmen ques ionnai e.
• AMOE: I ecei es he de ini ion o he secu i y me ics ha a e used o ex ac and
e alua e e idence om policy documen s om he RCM.
3.2.3.2 Published APIs
The API endpoin s o he RCM componen a e lis ed below.
Lis ing 8. RCM API Endpoin s o schema in o ma ion
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 36 o 46
www.eme ald-he.eu
Lis ing 9. RCM API Endpoin s o con ol in o ma ion
Lis ing 10. RCM API Endpoin s o Me ic in o ma ion
Lis ing 11. RCM API Endpoin s o simila con ol esou ce
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 37 o 46
www.eme ald-he.eu
Lis ing 12. RCM API Endpoin s o Ques ionnai e esou ces
3.2.3.3 In eg a ion S a us
The RCM has al eady been deployed on he Kube ne es clus e . Table 11 p o ides he cu en
s a e o connec ions o he RCM wi h o he componen s.
Table 11. In eg a ion S a us o he RCM wi h o he EMERALD componen s
Componen
S a us
Commen
EMERALD UI
De eloping API
Upda ing / ex ending he API
O ches a o
De eloping API
-
MARI
De eloping API
New API al eady de ined
AMOE
Connec ed
Changes needed
3.2.4 O ches a o
The O ches a o is he cen al o ches a ion poin in he EMERALD amewo k. As desc ibed in
D3.3 [9], he O ches a o se es as a key elemen ha manages he compliance p ocess wi hin
he EMERALD amewo k, linking a ious componen s oge he . This componen is also
esponsible o making he inal compliance decision, assessing whe he a a ge o e alua ion
adhe es o a speci ied secu i y s anda d.
3.2.4.1 Expec ed beha iou (inpu s/ou pu s)
The O ches a o sends and ecei es in o ma ion om di e en sou ces.
• EMERALD UI: I ecei es in o ma ion om he O ches a o o be displayed o he use ,
e.g. audi scope o e idence.
• RCM: I p o ides he O ches a o wi h ca alogue and me ic in o ma ion.
• Assessmen : Assessmen esul s, as well as e idence, a e sen by he Assessmen o he
O ches a o .
• E alua ion: Fo e alua ing he compliance o con ols o a secu i y ca alogue, he
O ches a o sends assessmen esul s o he E alua ion and ge s he compliance s a us
o each con ol (i.e. he e alua ion esul ).
• E idence S o e: The O ches a o pulls e idence om i .

D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 38 o 46
www.eme ald-he.eu
3.2.4.2 Published APIs
The API endpoin s o he O ches a o o handling assessmen esul s and ools a e lis ed below.
Lis ing 13. O ches a o API endpoin s o assessmen esul s
Lis ing 14. O ches a o API endpoin s o me ics
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 39 o 46
www.eme ald-he.eu
Lis ing 15. O ches a o API endpoin s o a ge s o e alua ion
Lis ing 16. O ches a o API endpoin s o handling ce i ica es
Lis ing 17. O ches a o API endpoin s o ce i ica es (publicly a ailable)
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 40 o 46
www.eme ald-he.eu
Lis ing 18. O ches a o API endpoin s o ca alogues
Lis ing 19. O ches a o API endpoin s o audi scopes
3.2.4.3 In eg a ion S a us
The O ches a o has al eady been deployed on he Kube ne es clus e . Table 12 p o ides he
cu en s a e o connec ions o he O ches a o wi h o he componen s.
Table 12. In eg a ion s a us o O ches a o wi h o he EMERALD componen s
Componen
S a us
Commen
EMERALD UI
API inished
Requi es coo dina ion wi h WP4 and es ing.
RCM
De eloping API
-
Assessmen
Connec ed
-
E alua ion
Connec ed
-
E idence S o e
Connec ed
-
3.2.5 E idence S o e
The E idence S o e se es as a cen al eposi o y o e idence collec ed om a ious e idence
collec o s. I e ie es e idence om he e idence collec o s, sa es hem in a Pos g es da abase,
and o wa ds e idence o he Assessmen and he TWS o imp o e he in eg i y o he e idence.
A de ailed desc ip ion can be ound in he deli e ables D3.3 [9] .
D1.7 - EMERALD In eg a ed solu ion - 1 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 41 o 46
www.eme ald-he.eu
3.2.5.1 Expec ed beha iou (inpu s/ou pu s)
The E idence S o e sends and ecei es in o ma ion om di e en sou ces:
• Assessmen : I ecei es e idence om he E idence S o e o he assessmen .
• O ches a o : I ecei es e idence om he E idence S o e (and o wa ds i o he
EMERALD UI)
• AMOE: I sends e idence o he E idence S o e o s o age.
• Codyze: I sends e idence o he E idence S o e o s o age.
• eknows-e3: I sends e idence o he E idence S o e o s o age.
• AI-SEC: I sends e idence o he E idence S o e o s o age.
• Cloudi o -Disco e y: I sends e idence o he E idence S o e o s o age.
3.2.5.2 Published APIs
The E idence S o e p o ides he ollowing h ee endpoin s o s o ing e idence, lis ing all
e idence and ge ing speci ic e idence, espec i ely.
Lis ing 20. E idence S o e API endpoin s
3.2.5.3 In eg a ion S a us
The E idence S o e has al eady been deployed on he Kube ne es clus e . Table 13 p o ides he
s a us o he indi idual connec ions. The Pos g es da abase is likely o be eplaced by a g aph
da abase in he u u e.
Table 13. In eg a ion s a us o E idence S o e wi h o he EMERALD componen s
Componen
S a us
Commen
Assessmen
Connec ed
-
O ches a o
Connec ed
-
AMOE
Tes ing
-
Codyze
Tes ed locally
Simple pieces o e idence a e ecei ed.
eknows-e3
Tes ing
-
AI-SEC
Tes ing
-
Cloudi o -Disco e y
Connec ed
-
3.2.6 Assessmen
As desc ibed in D3.3 [9], he Assessmen is asked wi h assessing e idence acco ding o speci ic
me ics es ablished wi hin he EMERALD amewo k.
3.2.6.1 Expec ed beha iou (inpu s/ou pu s)
The Assessmen sends and ecei es in o ma ion om di e en sou ces: