search string side menu

BRIX On-Premises > BRIX On-Premises Enterprise > Administering BRIX Enterprise / Enable network encryption (TLS) in BRIX Enterprise

Enable network encryption (TLS) in BRIX Enterprise

BRIX Enterprise supports Transport Layer Security (TLS) 1.2+ for incoming and outgoing traffic. To automatically switch the application to work over the secure HTTPS protocol, enable TLS encryption support.

Enabling TLS for the BRIX application consists of three stages:

  1. Prepare a secret with a certificate for working via HTTPS.
  2. Make changes to the configuration file.
  3. Apply TLS parameters for BRIX Enterprise.

Step 1: Prepare a secret with a certificate for working via HTTPS

For details, see Create a secret with a certificate for HTTPS operation.

Step 2: Make changes to the configuration file values-elma365.yaml

Начало внимание

Changes are made in the existing configuration file values-elma365.yaml, which was obtained and filled out during the installation of BRIX. Thoughtless changes to the parameters in this file can lead to the loss of the BRIX application's functionality. Before making changes to the file values-elma365.yaml, it is recommended to create a backup copy of it.

Конец внимание

  1. Fill put the configuration file values-elma365.yaml to enable TLS.

To enable encryption support, specify true in the parameter global.ingress.onpremiseTls.enabled. In this parameter, specify the name of the certificate for working via https, for example, elma365-onpremise-tls. The certificate must be issued for the domain name FQDN in the parameter global.host, through which the system will be accessible, for example example.com.

global:
  ## domain (FQDN) or ip address where the system is available
  host: 'example.com'
  ingress:
  ## enable host in ingress (value taken from host)
  ## for installed s3 minio via elma365-dbs charts, specify in the minio block
  ## the value in the hosts parameter in the values-dbs.yaml file
  hostEnabled: false
  onpremiseTls:
    ## enable https
    enabled: true
    ## name of the secret with certificates for https
    secret: "elma365-onpremise-tls"

Filling in the root CA parameters for configuring trust for a custom CA certificate

You can configure trust support if you used a self-signed certificate with OpenSSL or a certificate issued by a local certificate authority when creating a secret for HTTPS operation. This can be done in two ways:

  • Using the Kyverno add-on module. Kyverno allows you to automatically add a volume containing custom CA certificates to containers with a specific label.
  • In the BRIX Helm chart:
    1. In the namespace where the BRIX application is installed, create a ConfigMap from the CA certificate file:

kubectl create configmap elma365-onpremise-ca \
--from-file=path/to/rootCA [-n namespace]

    1. In the configuration file values-elma365.yaml, specify the following values:
        • global.ingress.onpremiseTls.enabledCA — Enable the use of a custom CA root certificate by BRIX. Set to true.
        • global.ingress.onpremiseTls.configCA — The name of the previously created ConfigMap. In this article, it is named elma365-onpremise-ca.

File example:

global:
 ...
 ingress:
   ## enable host in ingress (value taken from host)
   ## for installed s3 minio via elma365-dbs charts, specify minio in the block
   ## the value in the hosts parameter in the values-dbs.yaml file
   hostEnabled: false
   onpremiseTls:
     ## enable https
     enabled: true
     ## name of the secret with certificates for https
     secret: "elma365-onpremise-tls"
     ## enable certificate for root CA for working with https using a self-signed certificate
     enabledCA: true
     ## name of the configmap with the root CA certificate for working with https using a self-signed certificate
     configCA: "elma365-onpremise-ca"

Начало внимание

Before applying TLS parameters for the BRIX application, ensure that the S3 file storage operates over the HTTPS protocol (uses TLS encryption). Reconfigure the S3 file storage to work over the HTTPS protocol before enabling TLS support in the BRIX application.

Конец внимание

  1. Specify in the connection parameters that the S3 storage server uses TLS encryption. To do this, set true in the db.s3.ssl.enabled parameter.

...
db:
  ...  
  ## connections settings for S3 file storage
  s3:
    method: PUT
    accesskeyid: PZSF73JG72Ksd955JKU1HIA
    secretaccesskey: aFDkj28Jbs2JKbnvJH678MNwiz88zKjsuNBHHs
    bucket: s3elma365
    backend:
      address: example.com
      region: us-east-1
    ssl:
      enabled: "true"
...

Step 3: Apply TLS parameters for BRIX Enterprise

Update the BRIX application parameters using the values-elma365.yaml configuration file. The parameter update takes between 10 to 30 minutes. Wait for the BRIX Enterprise application parameters to be updated.

Начало внимание

When performing parameter updates, you need to:

  1. Determine the chart version with which the BRIX application was installed or updated.
  2. Use the same chart version to apply the new parameters to avoid any adverse effects on the application's operability.

Конец внимание

For online updates

  1. Determine the chart version with which the BRIX application was installed:

helm show chart elma365/elma365

Example of command execution:

enable-tls-enterprise-1

The version of the chart with which the BRIX application was installed is specified in the version line. This value must be specified for the --version flag (replace <elma365-chart-version>).

  1. Update the parameters specifying the installed version of the BRIX application and using the configuration file values-elma365.yaml:

helm upgrade --install elma365 elma365/elma365 -f values-elma365.yaml --version <elma365-chart-version> --timeout=30m --wait [-n namespace]

For offline updates without internet access

Navigate to the directory with the downloaded BRIX chart and execute the command:

helm upgrade --install elma365 ./elma365 -f values-elma365.yaml --timeout=30m --wait [-n namespace]

enable-portable-services.html autoscaling-service-enterprise.html