Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks

Change TLS settings between application and CRDP

search

Please Note:

Change TLS settings between application and CRDP

Note

  • It is recommended to keep your registration token and certificates in secret.

  • It is recommended to keep your secrets in a safe vault.

Steps to enable TLS with mandatory client authentication

  1. Create a secret, if it doesn't exist.

    kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-file=ca=<ca certificate path>

  2. In the CRDP deployment file (for example, <crdp-deployment.yaml>), add/update the below lines in the env section.

              env:
            - name: SERVER_MODE
              value: "tls-cert"
            - name: CERT_VALUE
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: cert
            - name: KEY_VALUE
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: key
            - name: TRUSTED_CA
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: ca

  3. Upgrade your CRDP deployment.

    helm upgrade <release-name> <path of helm chart/chart-name> .

    Example

    helm upgrade crdp <path of helm chart/chart-name> .

  1. Create a secret, if it doesn't exist.

    kubectl create secret generic <crdp secret name> --from-file=cert=<certificate file path> --from-file=key=<key file path> --from-file=ca=<ca certificate path> --from-literal=regtoken=<registration token>

    Note

    If your secret already exists with <registration token>:

    • Update the values of cert, key, and ca in the secret, OR

    • Create a new secret using the kubectl create secret command as described above

  2. In the CRDP deployment file (for example, <crdp-deployment.yaml>), add/update the below lines in the env section.

              env:
            - name: SERVER_MODE
              value: "tls-cert"
            - name: CERT_VALUE
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: cert
            - name: KEY_VALUE
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: key
            - name: TRUSTED_CA
              valueFrom:
                secretKeyRef:
                  name: <crdp secret name>
                  key: ca

  3. Update your CRDP deployment.

    kubectl replace -f <deployment_filename>

  1. Stop the existing container.

  2. Start the container with the updated configuration, as below.

    docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:<CRDP_port> -e SERVER_MODE=tls-cert -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" -e TRUSTED_CA="<trusted ca>" <crdp image name>

    In the command,

    • SERVER_MODE is tls-cert

    • CERT_VALUE: Value of the client certificate.

    • KEY_VALUE: Value of the key associated with the client certificate.

    • TRUSTED_CA: Value of the CA certificate.

    Now, CRDP will verify the certificate presented by the client.

Steps to enable TLS without client authentication

  1. In the values.yaml file, under configuration, update the value of servermode to tls-cert-opt.

  2. In the CRDP deployment file (for example, <crdp-deployment.yaml>), add the below lines to the data section of kind:Secret.

        data:
        server.crt: {{.Values.configuration.servercrt}}
        server.key: {{.Values.configuration.serverkey}}

  3. Upgrade your CRDP deployment.

    helm upgrade <helm chart name> <path of helm chart>

  1. In the CRDP deployment file (for example, <crdp-deployment.yaml>), in the data section of ConfigMap, set SERVER_MODE to tls-cert-opt.

  2. Add the following lines to the data section of kind:Secret.

        data:
        server.crt: {{.Values.configuration.servercrt}}
        server.key: {{.Values.configuration.serverkey}}
        trustedca: {{.Values.configuration.trustedca}}

  3. Update your CRDP deployment.

    kubectl replace -f <deployment_filename>

  1. Stop the existing container.

  2. In the environment variable, set the SERVER_MODE field to tls-cert-opt.

  3. Specify the environment variables:

    • CERT_VALUE: Value of the client certificate.

    • KEY_VALUE: Value of the key associated with the client certificate.

  4. Start the container.

    docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:<CRDP_port> -e SERVER_MODE=tls-cert-opt -e CERT_VALUE="<certificate value>" -e KEY_VALUE="<key value>" <crdp image name>

Steps to disable TLS

  1. In the values.yaml file, under configuration, update the value of servermode to no-tls.

  2. Upgrade your CRDP deployment.

    helm upgrade <helm chart name> <path of helm chart>

  1. In your deployment file, in the data section of ConfigMap, set SERVER_MODE to no-tls.

  2. Update your CRDP deployment.

    kubectl replace -f <deployment_filename>

  1. Stop the existing container.

  2. In the environment variable, set the SERVER_MODE field to no-tls.

  3. Start the container.

    docker run -e KEY_MANAGER_HOST=<IP address or host name> -e REGISTRATION_TOKEN=<registration token> -p <host port>:<CRDP_port> -e SERVER_MODE=no-tls <crdp image name>

On this page