Overview¶
All communication within PLOSSYS 5 is TLS encrypted. In the standard installation, self-signed certificates are used for this.
Caution - security gap
Using the pre-installed self-signed certificates in a productive system is a serious security gap!
Hint - tls
directories contained in delivery
The self-signed certificates contained in delivery are hard-coded. The tls
directories contained in delivery only contain examples which certificate files are required and how they look like.
Execute the following steps in order to avoid the annoying certificate warnings in the browser and to secure the different components of PLOSSYS 5.
Requirement¶
Get a TLS certificate in the PEM format with a key.pem
, a cert.pem
and optionally a ca.pem
file.
The certificate has to contain the following entries:
-
Server name of PLOSSYS 5 in order to avoid the certificate warnings in the browser
-
localhost
if you want to use self-signed certificates -
Consul-specific server name (for example,
<hostname>.node.dc1.consul
) if you want to use a certificate issued by a certificate authority (CA)
Hint - certificate authority
All TLS certificates have to be signed by the same certificate authority (CA).
Hint - cluster
In case of a cluster, a separate certificate for each server is required or a certificate containing all names of the PLOSSYS 5 servers belonging to the cluster.
Hint - other formats
For how to convert other certificate formats, refer to Convert Certificates.
Avoid the Certificate Warnings in the Browser¶
In order to avoid the annoying certificate warnings in the browser, execute the following steps:
-
For how to secure the preconfigured Keycloak from SEAL Systems as identity provider, refer to the SEAL Interfaces for OIDC documentation.
Secure the Remaining Components¶
In order to secure all components of PLOSSYS 5, additionally execute the following steps:
Next Step¶
Continue with: Secure PLOSSYS Administrator