Skip to main content
Version: 2.1.0

Enable TLS for Secure Communication

As RTUS may be used to transfer sensitive data, all communication to and from RTUS will requires a secure communication channel. To prevent several attack vectors, HTTP over TLS, or HTTPS, for that channel need to be enabled.

At the minimum, all communication to and from external should be protected by HTTP over TLS. Some project may require that traffic routed within the Kubernetes Cluster to be also TLS protected. The general steps to enable TLS for RTUS as follows:

Create a Keystore to store SSL certificate

Use the keytool provided in JDK to create new Keystore and import your SSL certificate into it:

keytool -import -aliasalias name -file certificate file -keystore keystore filename -storepass password
  • alias name : the alias name for the keystore.
  • certificate file : the SSL certificate in CRT format. https://docs.fileformat.com/web/crt/
  • keystore filename : the keystore filename to use. E.g., keystore.p12
  • password : a password for the keystore
note

The two most common formats used for keystores are JKS, a proprietary format specific for Java, and PKCS12, an industry-standard format. JKS used to be the default choice, but since Java 9 it's PKCS12 the recommended format.

In this section we will use PKCS12 format.

Enable SSL in RTUS

To enable SSL for RTUS container, add the following environment variables into the containers:

server.port=8443
server.ssl.key-store=/etc/ssl/certs/keystore filename
server.ssl.key-store-password=password
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=alias name
note

Listening port has been changed to 8443 instead of 8080.

Store Keystore as Kubernetes Secrets

Store the keystore as Kubernetes secrets using the following command:

kubectl create secret generic secret name --from-file=keystore filename

Mounting the Secrets as Volume in the RTUS Containers

Modify the Kubernetes deployment manifest to mount the secret as a volume.

For example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rtus-pms
spec:
  replicas: 1
  selector:
    matchLabels:
      app: rtus-pms
  template:
    metadata:
      labels:
        app: rtus-pms
    spec:
      containers:
      - name: rtus-pms
        image: rtus-pms:latest
        ports:
        - containerPort: 8443
        volumeMounts:
        - name: ssl-certs
          mountPath: /etc/ssl/certs
          readOnly: true
    volumes:
      - name: ssl-certs
        secret:
          secretName: ssl-certs