Security Configuration - Overview¶
All communication is encrypted. To improve securtity additional configuration is needed for each customer side. Depending on the customer`s securtity needs, some configuration steps can be omitted.
Configure TLS Encryption¶
In a Standard installation self signed certificates are used. To avoid the browser certificate warnings, install valid customer certificates.
Configure Consul¶
The Consul agent supports encrypting all of its network traffic. There are two separate encryption systems, one for the communication to clients (TLS) explained in Configure External TLS Encryption and one for internal communication (RPC) used in a Consul cluster:
Configure Keycloak¶
There are some non TLS related settings, which are recommended to be configured:
Configure Vault¶
Next Step¶
Continue with:
Explanations¶
This section is still under construction!
Transport Layer Security (TLS)¶
TCP (e.g. HTTP) traffic is secured via Transport Layer Security (TLS). The server provides a certificate with information about the server (e.g. its domain name) and a public key to the client. The certificate must be trusted by the client or digitally signed by a Certificate Authority (CA) that is trusted by the client. Thus, the server can authenticate itself by using its private key.
External TLS¶
The communication with users must be secured via a certificate that is trusted by the user's browser. In most cases, an internal CA must sign the certificate. All client computers are configured to trust this CA. The certificate must contain all hostnames or ip addresses used by the clients to connect to the server.
Internal TLS¶
The internal communication between the micro services and the infrastructure (e.g. database) can also be encrypted via TLS. The certificates must contain additional hostnames that are used for the internal routing via Consul. To improve security, these certificates can also be signed by a CA that is trusted by all services.
OpenID Connect¶
Issuer Key¶
Issuer Certificate¶
Consul Encryption¶
The internal communication between the Consul nodes of a cluster can be secured via a symmetric encryption key. This key must be included in the configuration of all nodes. This is different to the communication between our services and Consul which uses TLS.
MongoDB Configuration for Secure Encrption¶
MongoDB uses TLS to encrypt its traffic.