Secure the Output Engine Services¶
For security reasons, we strongly recommend configuring the TLS encryption and regenerating the client secret in the OIDC identity provider.
Configure the TLS Encryption¶
-
For securing the connections between the services on the server, the certificate has to contain
localhost
for self-signed certificates and the Consul-specific server name (for example,<hostname>.node.dc1.consul
) for any certificate, see the Requirement. -
After the Secure PLOSSYS Administrator step, the certificate files are already located in
/opt/seal/etc/tls
. You have to specify the directory only:TLS_DIR
Directory for storing the files necessary for secure transfer within the Output Engine services.
Example - setting key via PLOSSYS CLI
plossys config set TLS_DIR "/opt/seal/etc/tls" --insecure
!!! hint "Hint - min TLS version"
To set the minimum TLS protocol version to be used between services, use the [`TLS_MIN_VERSION`](../../reference/keys/service_keys.md#tls_min_version).
Configure the TLS Encryption in a Cluster¶
If you are running PLOSSYS Output Engine in a cluster, execute the configuration steps above on all PLOSSYS Output Engine servers.
Regenerate the Client Secret in the OIDC Identity Provider¶
-
In the OIDC identity provider, regenerate the secret for the
seal-plossys-cli
client, refer to the SEAL Interfaces for OIDC documentation. -
For the PLOSSYS CLI call, specify the regenerated client secret in the following Linux environment variable:
AUTH_CLIENT_SECRET
: Client secret generated in the OIDC identity provider for theseal-plossycli
client.
Next Step¶
Continue with: Secure Consul