| Table of Contents |
|---|
Introduction
Kiuwan on premises On-Premises fosters secure connections by providing a default installation environment where most communications are done under a secure protocol.
By default, Kiuwan on premises On-Premises services connections use:
...
In order to provide a default installation configuration that enables secure protocols on most communications channels, Kiuwan on premises On-Premises comes with a set of certificates and keystores for the default configured domain (kiuwan.onpremise.local).
...
Provided certificates and keystores
Kiuwan on premises On-Premises installation tool (kiuwan-cluster) provides a number of files to allow secure communications between containers. These files are located in kiuwan-cluster distributions under the ssl folder.
...
| Location | File | Format | Content | Purpose | Expiration date |
|---|---|---|---|---|---|
| ssl/ca | cacert.pem | RSA 4096 bits SHA256 | The CA certificate that signed Kiuwan on premises On-Premises domain certificate | Allows Kiuwan servers to provide the CA that signed their certificates | 2029/10/13 |
| ssl/kiuwan.onpremise.local | domaincert.pem | RSA 4096 bits SHA256 | The Kiuwan on premises On-Premises domain certificate | Allows Kiuwan servers to identify themselves | 2029/10/13 |
...
| Location | File | Format | Content | Purpose |
|---|---|---|---|---|
| ssl/ca | cakey.pem | RSA 4096 bits PKCS #8 | The provided CA private key | Allows signing certificates with the provided CA |
| ssl/kiuwan.onpremise.local | domainkey.pem | RSA 4096 bits PKCS #8 | The Kiuwan on premises On-Premises domain private key | Allows encrypting traffic for the provided domain |
...
Using certificates using the provided CA or your own CA
Kiuwan on premises On-Premises installater (kiuwan-cluster) contains a handy tool for creating certificates both with the provided CA or your own CA.
...
| Property | Default value | Meaning |
|---|---|---|
| java.keystore.password | The password to set to the generated Java keystore | |
| java.truststore.password | The password to set to the generated Java truststore | |
| ssl.ca.password | The password to set to the generated CA (only applies when generating a new custom CA). The set password will be used when signing certificates as well | |
| ssl.country | US | Country, state, locality, organization or organization unit to set both to the subject of the CA certificate (in case of you are generating a new custom CA) and to the subject of the specified domain signing request |
| ssl.state | mystate | |
| ssl.locality | mylocality | |
| ssl.organization | mycompany | |
| ssl.organization.unit | myorganizationunit | |
| ssl.company.domain | mycompany.com | Company domain to set to the subject's Common Name (CN) of the CA certificate (in case of you are generating a new custom CA) |
| ssl.subject.alt.names | DNS:kiuwan.onpremise.local[:443,:3306,:6379] DNS:wildflykiuwan-f[1-2][:8143,:8443] DNS:wildflykiuwanContainer-f[1-2][:8143,:8443] DNS:mysqlkiuwan[:3306] DNS:mysqlkiuwanContainer[:3306] DNS:redis_0000[1-6][:6379] | Subject Alternative Names (SANs) that will be set to the specified domain certificate. These are needed in order to be able to share the same certificate between different services of the Kiuwan on premises On-Premises infrastructure. |
Step 1: set the CA to use when signing your certificates
...
Using certificates signed by a trusted CA
Note that Kiuwan on premises On-Premises installation tool does not automate this process as it may be different between organizations based on their security policies.
The following table shows the files that Kiuwan on premise On-Premises needs:
| File | Where does it come from? | How can I get it? |
|---|---|---|
| domainkey.pem | You have to generate this file | Use a SSL tool to generate it |
| cacert.pem | Your CA will provide this file | Your CA will send this file to you after a CSR (Certificate Signing Request) |
| domaincert.pem | Your CA will provide this file | Your CA will send this file to you after a CSR (Certificate Signing Request) |
| domainkeystore.jks | You have to generate this file | Use your JRE's keytool program to generate it |
| truststore.jks | Provided by the installation tool | It is stored in [INSTALLER_DIR]/ssl/truststore/truststore.jks |
...
The following step is to run the deploy-user-content.sh script to let the installer deploy your certificates to the persistent volumes. Note that once this is done and depending on your installation needs, the following steps may change. Please refer to the Installation guide page for more information.
Adding the provided or a custom CA to Kiuwan
...
On-Premises clients
Kiuwan on On-Premises installer tool provides default certificates for the default host name, signed by a supplied CA (Certificate Authority).
...
If you choose to sign your domain's certificate with the provided CA, a new CA created using kiuwan-certool.sh or your own CA, internet browsers and other clients accessing your Kiuwan on premises On-Premises installation will not recognize it as a trusted CA by default. You will get error messages like this one:
...
In order to make your browser trust the supplied certificates, you will need to add this CA to your browser, and Java clients that access your Kiuwan on premises On-Premises installation:
- Fixefox, Chrome, Edge: import cacert.pem by using the tools provided by the browsers.
- Java clients (Kiuwan for developers Eclipse, Kiuwan for developers JetBrains, Jenkins, KLA, etc): add the provided cacert.pem to the JRE keystore used by the client. Please refer to the official documentation of your JRE distribution about the Java keytool program.
- Windows clients (Kiuwan for developers VisualStudio): import cacert.pem by using the tools provided by Windows (certmgr.msc).
- Multiplatform clients (Kiuwan for developers VisualStudioCode): import cacert.pem by using the tools provided by your OS.