Skip to content

Secure the Output Engine Services


For security reasons, we strongly recommend configuring the TLS encryption and regenerating the client secret in the OIDC identity provider.


Configure the TLS Encryption

  1. For securing the connections between the services on the server, the certificate has to contain localhost for self-signed certificates and the Consul-specific server name (for example, <hostname>.node.dc1.consul) for any certificate, see the Requirement.

  2. After the Secure PLOSSYS Administrator step, the certificate files are already located in C:\ProgramData\SEAL Systems\config\tls\. You have to specify the directory only:

    • TLS_DIR Directory for storing the files necessary for secure transfer within the Output Engine services.

    Example - setting key via PLOSSYS CLI

    plossys config set TLS_DIR "C:\ProgramData\SEAL Systems\config\tls" --insecure
    

!!! hint "Hint - min TLS version"

    To set the minimum TLS protocol version to be used between services, use the [`TLS_MIN_VERSION`](../../reference/keys/service_keys.md#tls_min_version).
  1. Restart PLOSSYS Output Engine.

Configure the TLS Encryption in a Cluster

If you are running PLOSSYS Output Engine in a cluster, execute the configuration steps above on all Output Engine servers.


Regenerate the Client Secret in the OIDC Identity Provider

  1. In the OIDC identity provider, regenerate the secret for the seal-plossys-cli client, refer to the SEAL Interfaces for OIDC documentation.

  2. For the PLOSSYS CLI call, specify the regenerated client secret in the following Windows environment variable:

    • AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossycli client.

Next Step

Continue with: Secure Consul


Back to top