Secure Externally Accessible Services¶

For security reasons, we strongly recommend configuring the TLS encryption. For PLOSSYS Administrator, this is also one step to get rid off the annoying certificate warnings in the browser. We also recommend using a regenerated client secret different to the one contained in delivery.

This article describes how to secure services that are accessible from the outside:

seal-cpm-checkin
seal-ipp-checkin
seal-job-notifier
seal-mainland-checkout
seal-plossysadmin
seal-rest

Hint - Script

SEAL Systems offers a script for updating certificates. Contact your Technical Project Manager at SEAL Systems if you are interested.

Configure the TLS Encryption¶

Get the TLS certificate in PEM format, see the Requirement. For securing the connection to PLOSSYS Administrator, the certificate has to contain the server name of PLOSSYS Output Engine.
Create a new directory for the external TLS certificates:
```
mkdir C:\ProgramData\SEAL Systems\config\tls-external
```

Save the private key and the public certificate in the newly created C:\ProgramData\SEAL Systems\config\tls-external directory.

copy <your_key.pem> C:\ProgramData\SEAL Systems\config\tls-external\key.pem

copy <your_cert.pem> C:\ProgramData\SEAL Systems\config\tls-external\cert.pem

Set the following key to the path of the certificate files:
- TLS_EXTERNAL_DIR: Directory for storing the files necessary for secure transfer of the services handling external requests.
Example - setting key via PLOSSYS CLI for all external services (recommended)
```
plossys config set TLS_EXTERNAL_DIR "C:\ProgramData\SEAL Systems\config\tls-external" --service any --insecure
```
Example - setting key via PLOSSYS CLI for PLOSSYS Administrator only
```
plossys config set TLS_EXTERNAL_DIR "C:\ProgramData\SEAL Systems\config\tls-external" --service plossysadmin --insecure
```
Hint - exception job-notifier

Although the seal-job-notifier is accessible from the outside, it does not support the environment key TLS_EXTERNAL_DIR yet. You have to set TLS_DIR for the seal-job-notifier service accordingly.
```
plossys config set TLS_DIR "C:\ProgramData\SEAL Systems\config\tls-external" --service job-notifier --insecure
```
If self-signed certificates are used, the following key has to be set to 0 for the respective services:
- NODE_TLS_REJECT_UNAUTHORIZED: Flag if self-signed certificates are allowed
Example - setting key via PLOSSYS CLI
```
plossys config set NODE_TLS_REJECT_UNAUTHORIZED 0 --service plossysadmin --insecure
```
Restart the following services:
- seal-cpm-checkin
- seal-ipp-checkin
- seal-job-notifier
- seal-mainland-checkout
- seal-plossysadmin
- seal-rest
Close PLOSSYS Administrator and open it again.

Configure the TLS Encryption in a Cluster¶

In a cluster, execute the steps above on one server. On every other server, execute the following steps:

Create a new directory for the external TLS certificates:
```
mkdir C:\ProgramData\SEAL Systems\config\tls-external
```

Save the private key and the public certificate in the newly created C:\ProgramData\SEAL Systems\config\tls-external directory.

copy <your_key.pem> C:\ProgramData\SEAL Systems\config\tls-external\key.pem

copy <your_cert.pem> C:\ProgramData\SEAL Systems\config\tls-external\cert.pem

Restart the following service:
- seal-cpm-checkin
- seal-ipp-checkin
- seal-job-notifier
- seal-mainland-checkout
- seal-plossysadmin
- seal-rest
If needed, close PLOSSYS Administrator and open it again.

Regenerate the Client Secret in the OIDC Identity Provider¶

In the OIDC identity provider, regenerate the secret for the seal-plossysadmin client, refer to the SEAL Interfaces for OIDC documentation.
In the configuration of the seal-plossysadmin service, specify the regenerated client secret with the following key:
- AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossysadmin client

Specify a CA Certificate (Unnecessary in Most Cases)¶

If a CA certificate has been specified, PLOSSYS Administrator requires a client certificate from each client, that means from the Web browser. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, this is how you configure a CA certificate with PLOSSYS Administrator:

Save the CA certificate to the following file:

C:\ProgramData\SEAL Systems\config\tls-external\ca.pem

Next Step¶

Continue with: Secure Internal Services