TR 03187-Conformance Statement

CIVITAS/CORE conforms to Level 1 of BSI TR-03187, a German security recommendation for Urban Data Platforms. In the context of BSI TR-03187, CIVITAS/CORE implements requirements that pertain to "Entwickler" (Software Developers) and "Lösungsanbieter" (Integrators). Requirements that pertain to "Betreiber" (Operators) are out of scope.

The following sections detail how the pertinent requirements of BSI TR-03187 are fulfilled in CIVITAS/CORE.

Generated from https://gitlab.com/civitas-connect/civitas-core/requirements (labels: requirement-source::tr-03187, tr-level::1) at 2026-01-13T11:12:14.637592+00:00

[TR-03187] AR-1 Geringstmögliche Privilegien

Implemented through Security Architecture Principles for components developed by CIVITAS/CORE.

3rd Party Components: Todo.

[TR-03187] AR-2 Legacy-Clienttechnologien vermeiden

For components developed by CIVITAS/CORE, linter checks ensure that no legacy components are present (for details see implementation ticket).

Todo: check 3rd party components.

[TR-03187] AR-3 Nicht verwendete Abhängigkeiten entfernen

SSDLC policy (Section 6.6) and the Deployment Checklist (section "Production Requirements") mandate a reasonable effort to be made towards minimizing shipped artifacts.

Todo: make reasonable effort to check 3rd party components.

[TR-03187] AR-4 Version Pinning

Ensured through Deployment Standards for container images (section "Version Management"), Front End Style guide for npm (section "Imports / Exports") and Back End Style guide for Java (section "Imports")

[TR-03187] AR-5 Sitzungs-IDs zufällig und eindeutig

Level 4 UUIDs mandated through Backend Style Guide (Section "Security").

Todo: check 3rd party components and already implemented code.

[TR-03187] AR-6 Sitzungsablauf nach Inaktivität

To be implemented

[TR-03187] AR-7 Rollenbasierte Benutzerverwaltung

Role-based user management is implemented. Users are assigned role "Standard User" on registration. For details, see Authorization Data Model

[TR-03187] AR-8 Replay-Schutz

User authentication is performed system-wide by OpenID Connect. For this, JWT tokens are used. JWT tokens are signed and have timestamps.

To do: Kafka messages?

[TR-03187] AR-9 Geheimnisse müssen änderbar sein

As per SSDLC (section 9) and Deployment Standards (Section "Security"), secrets are stored through Kubernetes secrets or other secure means external to the application, in a changable manner.

Exception: Keycloak stores secrets (passwords, signing keys) in database; all of them are changable through regular Keycloak mechanisms.

[TR-03187] AR-10 Geheimnisse von Benutzern dürfen nicht zur Sicherstellung von Vertraulichkeit verwendet werden

CIVITAS/CORE does not use user supplied secrets to ensure confidentiality toward third parties. The requirement is also part of the Security Architecture Principles.

Todo: check 3rd party components

[TR-03187] AR-11 Kryptografische Verfahren sollen TR-2101-1 entsprechen

Requirement to use BSI-approved cryptography is part of Backend Code Style Guide and of Deployment Standards.

To do: ensure 3rd party component conformance.

[TR-03187] AR-12 Standardframeworks für sicherheitskritische Funktionen

Ensured through inclusion in Security Architecture Principles document.

[TR-03187] AR-13 Ganze Zertifikatkette validieren

On the ingress side, TLS validation is Operator's responsibility. For in-cluster validation, the service mesh is configured to ensure full chain validation (details tbd)

Todo: actually implement this and link to documentation.

[TR-03187] AR-14 Alle vorgesehenen Sicherheitsmechanismen defaultmäßig anschalten

Ensured through Security Architecture Principles and Deployment Standards.

[TR-03187] AR-15 Verschlüsselte Kommunikation

Encryption between container instances is implemented through TLS via a service mesh.

Todo: actually implement this and link to documentation.

[TR-03187] AR-16 Abschirmung unterschiedlicher Vertrauenszonen

TODO. Presumably in our architecture, namespaces are a good technique for this.

Concept Ticket

[TR-03187] AR-17 Integritätsgeschützter Kanal für Deployment

CIVITAS/CORE is deployed as source code and helm charts through Gitlab and container images through Gitlab container registry. Gitlab enforces TLS, so integrity and authentication are ensured.

TODO: implement signing for containers (implementation ticket)

[TR-03187] CT-1 Container-Hardening

Enforced through Deployment Standards (section "Security")

Todo: Check for 3rd Party Images.

[TR-03187] CT-2 Werkzeuggestützte Prüfung auf Container-Sicherheitslücken

Trivy scans are used to scan container images. (implementation ticket)

[TR-03187] CT-3 Basisimages aus vertrauenswürdigen Quellen

For Portal and ModelServer, Distroless is used (see Section "Security" in Backend Style Guide)

To do: 3rd Party Components

[TR-03187] CT-4 Minimalistische Basisimages

For Portal and ModelServer, Distroless is used (see Section "Security" in Backend Style Guide). Additionally, for Java code, JLink is used to create a minimal JRE.

To do: 3rd Party Components

[TR-03187] CT-5 Geheimnisse zur Laufzeit dynamisch bereitstellen

As per SSDLC (section 9) and Deployment Standards (Section "Security"), secrets are stored through Kubernetes secrets or other secure means external to the application, in a changable manner.

[TR-03187] CT-6 Gehärtete Clusterknoten

Since CIVITAS/CORE assumes it runs on an existies kubernetes cluster, this requirement is out of scope for CIVITAS/CORE.

[TR-03187] CT-8 Geringstmögliche Privilegien für Container-Images

Containers do not run as root. This is ensured through Deployment Standards (section "Security").

[TR-03187] CT-9 Transportverschlüsselung & Integrität zwischen Pods

Encryption between container instances is implemented through TLS via a service mesh.

Todo: actually implement this and link to documentation.

[TR-03187] MS-3 Vermeidung fester Credentials für Managed-Service-Zugriffe

Not applicable, as any possible managed service access is outside the scope of the application's design.

[TR-03187] AUT-1 Einheitliche Vertrauensniveaus in der Authentifizierung

Authentication is centralized through Keycloak. For Keycloak, no fallback methods (e.g. password reset through security questions) are defined.

(Implementation ticket)

[TR-03187] AUT-2 Multi-Faktor-Authentisierung

CIVITAS/CORE uses Keycloak as the identity provider for all components. In the default installation, MFA is enabled.

(Implementation ticket)

[TR-03187] AUT-3 Dedizierte Serviceaccounts

Dedicated ServiceAccounts are used per Deployment (see section "Security" in the Deployment Standards).

[TR-03187] AUT-4 Kryptografisch abgesicherter Zugriff auf Infrastruktur

As CIVITAS/CORE considers itself an application that runs on infrastructure provided by an operator, this is considered an operator requirement from a CIVITAS/CORE perspective.

For operators that want to apply this requirement to CIVITAS/CORE itself, a cryptographically secured authentication mechanism is available through Keycloak's support of WebAuthN.

(Implementation Ticket)

[TR-03187] AUT-5 Zugriffskontrollmodell definieren

The authorization model is documented here

[TR-03187] AUT-6 Sitzungs-IDs invalidieren

CIVITAS/CORE uses Keycloak for authentication and Keycloak supports this out of the box.

[TR-03187] AUT-7 Passwortrichtlinien

CIVITAS/CORE uses Keycloak as the identity provider for all components. By default, a strong password policy is active.

Todo: (Implementation ticket)

[TR-03187] W-1 Deny All als Default

This is mandated as part of the SSDLC (Section "3. Requirements you need to fulfill")

[TR-03187] W-2 Zugriffskontrollmodell definieren

The authorization model is documented here

[TR-03187] W-3 Einheitlicher Zugriffskontrollmechanismus

Implementation Ticket

[TR-03187] W-4 Restriktive CORS-Policy

CORS policy mandated through Backend Style Guide (section "CORS-Policy")

To do: check 3rd party components.

[TR-03187] W-5 Web-Server-Verzeichnisauflistung deaktivieren

CIVITAS/CORE custom components use Spring Boot. Model Atlas uses Jetty; neither are even able to list directories by default.

Todo: check 3rd party components.

[TR-03187] W-6 Nicht benötigte Datei-Metadaten und Sicherungskopien vermeiden

CIVITAS/CORE custom components use Spring Boot. Model Atlas uses Jetty; neither are even able to serve static files directories without specific provisions.

Todo: check 3rd party components.

[TR-03187] W-7 Sitzungs-IDs nach Logout invalidieren

Is implemented through NextAuth. Implementation details are documented here.

Todo: find implementation ticket.

[TR-03187] W-8 Kurzlebige JWTs

CIVITAS/CORE uses Keycloak as the identity provider for all components. In the default installation, SSO Session Idle is set to 60 Minutes and SSO Session Max is set to 10h

(Implementation ticket)

[TR-03187] W-9 Sichere DB-Zugriffe (ORM/Prepared)

Enforced through Backend Style Guide (section "Security").

[TR-03187] W-10 Vom Benutzer übergebene Objekte defensiv deserialisieren

Handled through Backend Style guide (section "Security").

Implementation details: Deserialization is handled through Jackson in Backend; Model Atlas validates based on XML Schema/JSON Schema/EMF/UML - deserialization handled through Eclipse Modeling Framework and Jackson.

[TR-03187] W-11 Clientseitige Eingabevalidierung

Mandated through Frontend Style Guide (see section "Security Principles")

Todo: 3rd party components

[TR-03187] W-12 Serverseitige Eingabevalidierung

Enforced through Backend Style Guide (section "Security").

To do: 3rd party components.

[TR-03187] W-13 Limitierung Anzahl Ergebnisse Datenbankabfragen

Paging is implemented in Backend.

Queries usually include all columns because they are mostly used; in this stage of the application's design, there is a close mapping between Database Table -> POJO -> UI. In later versions there might be use cases where not all columns are used in each one.

Model Atlas: Not applicable, as no mass data is returned. Also, data storage is NoSQL.

Todo: 3rd Party Components Todo: Policy

[TR-03187] W-14 Standardzugangsdaten ändern

Authentication is centralized through Keycloak, so there is only one component holding authentication data. The Keycloak admin password is randomly generated for each installation, so there are no default credentials.

Todo: Check if this is true.

[TR-03187] W-15 Whitelisting für Eingabedaten

Mandated through Backend Style Guide (section "Security")

Todo: 3rd Party Components

[TR-03187] W-16 Whitelisting für URLs in Eingabedaten

Mandated through Backend Style Guide (Section "Security")

To do: 3rd Party Components

[TR-03187] W-17 Whitelisting für Allow-Origin

Should be done at ingress and is thus responsibility of the operator.

We recommend the following CORS settings:

Access-Control-Allow-Origin allows only specific domains, not *.
Access-Control-Allow-Methods contains only the HTTP verbs required by the use case (e.g. GET, POST).
Access-Control-Allow-Headers is defined explicitly, not through wildcards.
Access-Control-Allow-Credentials is only set when required by the use base.

[TR-03187] W-18 Detaillierte Fehlermeldungen Produktivsystemen vermeiden

This is mandated as part of the SSDLC (Section "3. Requirements you need to fulfill")

[TR-03187] W-19 Minimale Auskunft über Komponenten

Mandated as part of SSDLC policy (section 3. Requirements you need to fulfill)

Todo: 3rd party components.

[TR-03187] W-21 Keine sensiblen Daten in URLs

This is mandated as part of the SSDLC (Section "3. Requirements you need to fulfill")

Todo: 3rd party components

[TR-03187] W-22 Clientseitiges Caching und Autocomplete abschalten

Mandated in the Frontend Style Guide (section "Security Principles").

Todo: 3rd Party Components