Introduction
Kiuwan on premises fosters secure connections by providing a default installation environment where most communications are done under a secure protocol.
By default, Kiuwan on premises services connections use:
| Protocol | Secure connection | |||
|---|---|---|---|---|
| Any client (browser, KLA, K4D, custom REST API client, etc.) | ↔ | Kiuwan apache load balancer | HTTPS | Yes |
| Kiuwan apache load balancer | ↔ | Kiuwan (frontal) | HTTPS | Yes |
| Kiuwan (frontal, analyzer, scheduler, updater) | ↔ | MySQL database | mysql protocol (SSL can be optionally enabled) | Optional |
| Kiuwan (frontal, analyzer, scheduler, updater) | ↔ | Redis cluster node | RESP (REdis Serialization Protocol) - SSL | Optional (only supported when using AWS elasticache) |
| Redis cluster node | ↔ | Redis cluster node | RESP (REdis Serialization Protocol) | Optional (only supported when using AWS elasticache) |
Every time a client connects to a server using a secure protocol, it needs to make sure that the contacted server is who it claims to be. This is usually done by the server returning a certificate (signed by a Certification Authority, CA) that the client can check for authenticity.
As the client needs a way to identify if the server's certificate is trustable, all secure transmision enabled clients have or rely on a dictionary of trustable CAs.
In order to provide a default installation configuration that enables secure protocols on most communications channels, Kiuwan on premises comes with a set of certificates and keystores for the default configured domain (kiuwan.onpremise.local).
Note that the previous statement means that if you rely on the default installation configuration all your certificates will be the same as other Kiuwan customers certificates. We encourage you create your own CA for signing your own domain certificates or sending your own certificates to a trusted CA to be signed.
Provided SSL related files
Kiuwan on premises installation tool (kiuwan-cluster) provides a number of files to allow secure communications between containers. These files are located in kiuwan-cluster distributions under the ssl folder.
The following table shows the provided certificate files:
| Location | File | Format | Content | Purpose | Expiration date |
|---|---|---|---|---|---|
| ssl/ca | cacert.pem | RSA 4096 bits SHA256 | The CA certificate that signed Kiuwan on premises domain certificate | Allows Kiuwan servers to provide the CA that signed their certificates | 2029/10/13 |
| ssl/kiuwan.onpremise.local | domaincert.pem | RSA 4096 bits SHA256 | The Kiuwan on premises domain certificate | Allows Kiuwan servers to identify themselves | 2029/10/13 |
The following table shows the provided key files:
| Location | File | Format | Content | Purpose |
|---|---|---|---|---|
| ssl/ca | cakey.pem | RSA 4096 bits PKCS #8 | The provided CA key | Allows signing certificates with the provided CA |
| ssl/kiuwan.onpremise.local | domainkey.pem | RSA 4096 bits PKCS #8 | The Kiuwan on premises domain key | Allows encrypting traffic for the provided domain |
The following table shows the provided Java keystore files:
| Location | File | Content | Purpose |
|---|---|---|---|
| ssl/kiuwan.onpremise.local | domainkeystore.jks | This keystore contains cacert.pem and domaincert.pem files. Its password is the one provided in the default installation configuration (see java.keystore.password property). | Allows Kiuwan instances to identify themselves to enable secure connections |
| ssl/kiuwan.onpremise.local | truststore.jks | This keystore contains all the CA certificates included in the OpenJDK default truststore (see next row in this table) plus the provided CA certificate. Its password is the one provided in the default installation configuration (see java.truststore.password property). | Allows Kiuwan instances to communicate to external servers that offer certificates signed by trusted CAs (needed both for AWS based installations and Kiuwan central servers communications) |
| ssl/truststore | truststore.jks | This keystore contains the OpenJDK trusted CAs as of 2019/10/16. Its password is the one provided by OpenJDK for its cacerts file. | Allows generating a custom truststore that includes most needed trusted CAs certificates plus the one provided by the installation tool |
Generating certificates for a custom domain
Using certificates signed by a recognized CA