...
By default, Kiuwan On-Premises services service connections use:
Communication between | Protocol | Secure connection | ||
---|---|---|---|---|
Any client (browser, KLA, K4D, custom REST API client, etc.) | ↔ | Kiuwan apache load balancer | HTTPS | Yes |
Kiuwan apache load balancer | ↔ | Kiuwan (frontal) | HTTPS | Yes |
Kiuwan (frontal, analyzer, scheduler, updater) | ↔ | MySQL database | mysql protocol (SSL can be optionally enabled) | Optional |
Kiuwan (frontal, analyzer, scheduler, updater) | ↔ | Redis cluster node | RESP (REdis Serialization Protocol) - SSL | Optional (only supported when using AWS elasticache) |
Redis cluster node | ↔ | Redis cluster node | RESP (REdis Serialization Protocol) | Optional (only supported when using AWS elasticache) |
...
Warning |
---|
Note that the previous statement means that, if you rely on the default installation configuration, all your certificates will be the same as other Kiuwan customers certificates. We encourage you to create your own CA for signing your own domain certificates or sending a CSR to a trusted CA. See the following sections for more information on this topic. |
...
Using certificates using the provided CA or your own CA
Kiuwan On-Premises installater installer (kiuwan-cluster) contains a handy tool for creating to create certificates both with the provided CA or your own CA.
...
Remember that, as stated in Installation guide - Installation requirements, you will need the specified versions of a JRE and OpenSSL in order to be able to generate certificates using the provided tool.
...
- [INSTALL_DIR]/ssl/config/certs.properties
These This is the meaning of what the customizable properties of the previous file (default passwords are ommited) mean:
Property | Default value | Meaning |
---|---|---|
java.keystore.password | The password to set to the generated Java keystore | |
java.truststore.password | The password to set to the generated Java truststore | |
ssl.ca.password | The password to set to the generated CA (only applies when generating a new custom CA). The set password will be used when signing certificates as well | |
ssl.country | US | Country, state, locality, organization or organization unit to set both to the subject of the CA certificate (in case of you are generating a new custom CA) and to the subject of the specified domain signing request |
ssl.state | mystate | |
ssl.locality | mylocality | |
ssl.organization | mycompany | |
ssl.organization.unit | myorganizationunit | |
ssl.company.domain | mycompany.com | Company domain to set to the subject's Common Name (CN) of the CA certificate (in case of you are generating a new custom CA) |
ssl.subject.alt.names | DNS:kiuwan.onpremise.local[:443,:3306,:6379] DNS:wildflykiuwan-f[1-2][:8143,:8443] DNS:wildflykiuwanContainer-f[1-2][:8143,:8443] DNS:mysqlkiuwan[:3306] DNS:mysqlkiuwanContainer[:3306] DNS:redis_0000[1-6][:6379] | Subject Alternative Names (SANs) that will be set to the specified domain certificate. These are needed in order to be able to share the same certificate between different services of the Kiuwan On-Premises infrastructure. |
...
Just replace the provided files with your own CA's ([INSTALL_DIR]/ssl/ca/cacert.pem and [INSTALL_DIR]/ssl/ca/cakey.pem).
We recommend backuping backing up the provided CA files just in case you want to get back to the provided defaults (see Use your own CA).
...
The following step is to run the deploy-user-content.sh script to let the installer deploy your certificates to the persistent volumes. Note that once this is done and depending on your installation needs, the following steps may change. Please refer to the Kiuwan On-Premises Distributed Installation guideGuide page for more information.
Using certificates signed by a trusted CA
Note that the Kiuwan On-Premises installation tool does not automate this process as it may be different between organizations based on their security policies.
...
Step 3: continue with your installation
The following next step is to run the deploy-user-content.sh script to let the installer deploy your certificates to the persistent volumes. Note that once this is done and , depending on your installation needs, the following steps may change. Please refer to the Kiuwan On-Premises Distributed Installation guideGuide page for more information.
Adding the provided or a custom CA to Kiuwan On-Premises' clients
The Kiuwan On-Premises installer tool provides default certificates for the default host name, signed by a supplied CA (Certificate Authority).
...