Skip to content

Secure Consul

For security reasons, we strongly recommend configuring the TLS encryption.

Caution - firewall

Due to everyone who may access the Consul Web interface via port 8500 can change the configuration including the user authorization, we strongly recommend protecting Consul via firewall Only the PLOSSYS 5 servers and maybe the workstations of the system administrators should have access to Consul.

Configure the TLS Encryption

The connection to Consul is secured by the TLS certificate located in the /opt/seal/etc/tls directory. That means that after you have replaced the self-signed certificate enclosed in delivery by your own certificate in Secure the PLOSSYS 5 Services the connection to Consul has already been secured.

Specify the CA Certificate (If Available)

This step is only required if your certificate contains a CA certificate. If the certificate exists, it is checked for validity when the connection is established. The CA certificate is saved in /opt/seal/etc/tls/ca.pem.

  1. Open the Consul configuration file on the PLOSSYS 5 server:

    /opt/seal/etc/consul.json

  2. Insert the following lines in the first level, for example, above acl_datacenter:

    {
  "ca_file": "/opt/seal/etc/tls/ca.pem",
  "verify_outgoing": true,
  "acl_datacenter": "dc1",
...
}

    Caution - JSON structure

    Pay attention to keep the JSON structure in the configuration file! For further information, refer to http://json.org/json-de.html.

  3. Save the configuration file.

  4. Restart the following service:

    • seal-consul-agent

Configure the TLS Encryption in a Cluster

If you are running PLOSSYS 5 in a cluster, execute the configuration steps above on all PLOSSYS 5 servers.

Config a Consul Key in a Cluster

For how to configure Consul in a cluster, refer to Configure Consul in a Cluster.

The communication between the Consul instances in a cluster is encrypted symmetrically. A pre-shared key is installed.

Caution - security gap

Using the pre-installed key in a productive system is a serious security gap.

Show the Installed Keys

This is how you display all keys known to the Consul cluster:

  1. Change to the directory of the Consul program:

    /opt/seal/seal-consul-agent

  2. List the installed keys:

    ./consul keyring -list

    Hint - active key

    The active key is highlighted. GfTiHCQsAMdYyUKN+BYhMw== is the default key set during the installation.

Replace the Key

This is how you replace the key:

  1. Change to the directory of the Consul program:

    /opt/seal/seal-consul-agent

  2. Create a new symmetric key:

    ./consul keygen

    The new key <new_key> is displayed.

  3. Distribute the new key in the Consul cluster:

    ./consul keyring -install <new_key>

  4. Activate the new key:

    ./consul keyring -use <new_key>

  5. Delete the old key:

    ./consul keyring -remove <old_key>

Next Step

Continue with: Secure MongoDB

Back to top