Secure Internal Output Engine Services¶
For security reasons, we strongly recommend configuring the TLS encryption and regenerating the client secret in the OIDC identity provider.
This article describes how to secure service communication within PLOSSYS Output Engine. On how to secure services that are accessible from the outside, such as seal-plossysadmin, seal-rest, seal-ipp-checkin etc., refer to Secure Externally Accessible Services.
Configure the TLS Encryption¶
-
For securing the connections between the services on the server, the certificate has to contain
localhostfor self-signed certificates and the Consul-specific server name (for example,<hostname>.node.dc1.consul) for any certificate, see the Requirement. -
Save the private key and the public certificate in the created
C:\ProgramData\SEAL Systems\config\tlsdirectory.copy <your_key.pem> C:\ProgramData\SEAL Systems\config\tls\key.pemcopy <your_cert.pem> C:\ProgramData\SEAL Systems\config\tls\cert.pem -
Set the following key to the path of the certificate files:
TLS_DIR: Directory for storing the files necessary for secure transfer within PLOSSYS Output Engine.
Example - setting key via PLOSSYS CLI
plossys config set TLS_DIR "C:\ProgramData\SEAL Systems\config\tls" --insecureHint - min TLS version
To set the minimum TLS protocol version to be used between services, use the
TLS_MIN_VERSION.
Configure the TLS Encryption in a Cluster¶
If you are running PLOSSYS Output Engine in a cluster, execute the configuration steps above on all Output Engine servers.
Regenerate the Client Secret in the OIDC Identity Provider¶
-
In the OIDC identity provider, regenerate the secret for the
seal-plossys-cliclient, refer to the SEAL Interfaces for OIDC documentation. -
For the PLOSSYS CLI call, specify the regenerated client secret in the following Windows environment variable:
AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for theseal-plossycliclient.
Next Step¶
Continue with: Secure Consul