Securing the Milestone AI Bridge connection (Kubernetes)

You can employ TLS encryption to help secure the connections between your XProtect installation and Milestone AI Bridge but before you can use TLS encryption, you will first have to enable TLS encryption for all communication in XProtect.

The Milestone Server Configurator is used to enable TLS encryption and to select the server certificates.

For more information, see the https://doc.milestonesys.com/2025r1/en-US/portal/htm/chapter-page-certificates-guide.htm.

Server certificates are issued by a Certificate Authority (CA). This can be an externally trusted certificate authority, or you can act as your own certificate authority by using a self-signed CA certificate.

In the following the certificate authority is referred to as the VMS CA and the actual CA certificate in question is referred to as the VMS CA certificate.

Streaming container security considerations

For improved compliance with defined user permissions in the XProtect VMS, user OAuth tokens assigned to video sent from the XProtect VMS to the IVA application must be assigned to webRTC feeds forwarded by the IVA application back into the XProtect VMS.

User OAuth tokens assigned to video sent from the XProtect VMS to the IVA application can also be assigned to snapshot feeds. If you do not assign OAuth tokens to snapshot feeds, the Milestone XProtect basic user defined when installing Milestone AI Bridge will be used as a token instead.

In a production environment

For production environments, IVA application developers should always set the enforce-oauth parameter in the AI Bridge Streaming (aibridge-streaming) container to true in the docker compose or helm chart settings.

If the enforce-oauth parameter is set to false in a production environment, the OAuth token of the Milestone XProtect basic user defined when installing the Milestone AI Bridge is used as a token. This means that snapshots or webRTC feeds from the IVA application may be available for Milestone XProtect users that otherwise do not have permission to this data.

In a test environment

For test purposes, IVA application developers can set the enforce-oauth parameter to false to facilitate testing results unless security testing is being performed.

The enforce-oauth parameter is located in the aibridge-streaming.yaml file.

Create a Kubernetes ConfigMap object

If your XProtect installation is not running in a secured state (running over https), the following steps are optional.

To register the VMS CA certificate as trusted by the Milestone AI Bridge, you must create a Kubernetes ConfigMap object by opening a terminal and running the following command:

If you deploy the Milestone AI Bridge inside a namespace, you must create the Kubernetes Secret inside the same namespace. If you have created your own namespace, replace the aibridge namespace with your namespace after the -n parameter.

The file vms-authority.crt must contain the VMS CA certificate in PEM format.

All certificates must use the PEM format and must be named with the .crt file extension. For more information, see Ubuntu manual - certificates

Assign server certificate to Milestone AI Bridge

If your XProtect installation is not running in a secured state (running over https), the following steps are optional.

Milestone AI Bridge itself also acts as a server towards your XProtect installation and thus must have a server certificate issued for it by the VMS CA.

This server certificate and its associated private key must be added as a Kubernetes Secret object by opening a terminal and running the following command:

where <path> is the path to the server.crt and server.key files respectively.

If you have created your own namespace, replace the aibridge namespace with your namespace after the -n parameter.

Here, server.crt and server.key are the issued server certificate and its associated private key respectively, both in PEM format and with the .crt file name extension.

You deploy AI Milestone AI Bridge in a namespace, then the secret object must also be created in the same namespace.

You can now use TLS encryption for all connections between your XProtect installation and the Milestone AI Bridge by using the HTTPS scheme in the URL of the XProtect management server, see the example below.

Example of terminal command

You must be in the aibridge folder.