Secure PLOSSYS Administrator¶
For security reasons, we strongly recommend configuring the TLS encryption. This is also one step to get rid off the annoying certificate warnings in the browser. We also recommend using a regenerated client secret different to the one contained in delivery.
Configure the TLS Encryption¶
-
Get the TLS certificate in PEM format, see the Requirement. For securing the connection to PLOSSYS Administrator, the certificate has to contain the server name of PLOSSYS Output Engine.
-
Save the private key and the public certificate in the
/opt/seal/etc/tls/
directory:/opt/seal/etc/tls/key.pem
/opt/seal/etc/tls/cert.pem
-
Set the following key to the path of the certificate files:
TLS_EXTERNAL_DIR
: Directory for storing the files necessary for secure transfer with the PLOSSYS Administrator.
Example - setting key via PLOSSYS CLI
plossys config set TLS_EXTERNAL_DIR "/opt/seal/etc/tls" --service plossysadmin --insecure
-
If the self-signed certificates are used with PLOSSYS Administrator, the following key has to be set to
0
for theseal-plossysadmin
service:NODE_TLS_REJECT_UNAUTHORIZED
: Flag if self-signed certificates are allowed
Example - setting key via PLOSSYS CLI
plossys config set NODE_TLS_REJECT_UNAUTHORIZED 0 --service plossysadmin --insecure
-
Restart the following service:
seal-plossysadmin
-
Close PLOSSYS Administrator and open it again.
Configure the TLS Encryption in a Cluster¶
If you are running PLOSSYS Output Engine in a cluster, execute the configuration steps above on all Output Engine servers. Thereby, use the same directory for the certificate files so that TLS_EXTERNAL_DIR
is valid on all Output Engine servers.
Regenerate the Client Secret in the OIDC Identity Provider¶
-
In the OIDC identity provider, regenerate the secret for the
seal-plossysadmin
client, refer to the SEAL Interfaces for OIDC documentation. -
In the configuration of the
seal-plossysadmin
service, specify the regenerated client secret with the following key:AUTH_CLIENT_SECRET
: Client secret generated in the OIDC identity provider for theseal-plossysadmin
client
Specify a CA Certificate (Unnecessary in Most Cases)¶
If a CA certificate has been specified, PLOSSYS Administrator requires a client certificate from each client, that means from the Web browser. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.
For the rare other cases, this is how you configure a CA certificate with PLOSSYS Administrator:
-
Save the CA certificate to the following file:
/opt/seal/etc/tls/ca.pem
Next Step¶
Continue with: Secure the Output Engine Services