search string side menu

ELMA365 On-Premises > ELMA365 On-Premises Enterprise > Administering ELMA365 Enterprise / Enable network encryption (TLS) in ELMA365 Enterprise

Enable network encryption (TLS) in ELMA365 Enterprise

ELMA365 Enterprise supports Transport Layer Security (TLS) 1.2+ for incoming and outgoing traffic. To automatically switch the application to work over the secure HTTPS protocol, enable TLS encryption support.

Enabling TLS for the ELMA365 application consists of three stages:

  1. Prepare a secret with a certificate for working via HTTPS.
  2. Make changes to the configuration file.
  3. Apply TLS parameters for ELMA365 Enterprise..

Step 1: Prepare a secret with a certificate for working via HTTPS

For details, see Create a secret with a certificate for HTTPS operation.

Step 2: Make changes to the configuration file values-elma365.yaml

Начало внимание

Changes are made in the existing configuration file values-elma365.yaml, which was obtained and filled out during the installation of ELMA365. Thoughtless changes to the parameters in this file can lead to the loss of the ELMA365 application's functionality. Before making changes to the file values-elma365.yaml, it is recommended to create a backup copy of it.

Конец внимание

  1. Fill put the configuration file values-elma365.yaml to enable TLS.

To enable encryption support, specify true in the parameter global.ingress.onpremiseTls.enabled. In this parameter, specify the name of the certificate for working via https, for example, elma365-onpremise-tls. The certificate must be issued for the domain name FQDN in the parameter global.host, through which the system will be accessible, for example example.com.

global:
  ## domain (FQDN) or ip address where the system is available
  host: 'example.com'
  ingress:
  ## enable host in ingress (value taken from host)
  ## for installed s3 minio via elma365-dbs charts, specify in the minio block
  ## the value in the hosts parameter in the values-dbs.yaml file
  hostEnabled: false
  onpremiseTls:
    ## enable https
    enabled: true
    ## name of the secret with certificates for https
    secret: "elma365-onpremise-tls"

Filling in the root CA parameters for configuring trust for a custom CA certificate

You can configure trust support if you used a self-signed certificate with OpenSSL or a certificate issued by a local certificate authority when creating a secret for HTTPS operation. This can be done in two ways:

  • Using the Kyverno add-on module. Kyverno allows you to automatically add a volume containing custom CA certificates to containers with a specific label;
  • In the ELMA365 helm chart:
    1. In the namespace where the ELMA365 application is installed, create a ConfigMap from the CA certificate file:

kubectl create configmap elma365-onpremise-ca \
--from-file=path/to/rootCA [-n namespace]

    1. In the configuration file values-elma365.yaml, specify the following values:
        • global.ingress.onpremiseTls.enabledCA — Enable the use of a custom CA root certificate by ELMA365. Set to true;
        • global.ingress.onpremiseTls.configCA — The name of the previously created ConfigMap. In this article, it is named elma365-onpremise-ca.

File example:

global:
 ...
 ingress:
   ## enable host in ingress (value taken from host)
   ## for installed s3 minio via elma365-dbs charts, specify minio in the block
   ## the value in the hosts parameter in the values-dbs.yaml file
   hostEnabled: false
   onpremiseTls:
     ## enable https
     enabled: true
     ## name of the secret with certificates for https
     secret: "elma365-onpremise-tls"
     ## enable certificate for root CA for working with https using a self-signed certificate
     enabledCA: true
     ## name of the configmap with the root CA certificate for working with https using a self-signed certificate
     configCA: "elma365-onpremise-ca"

Начало внимание

Before applying TLS parameters for the ELMA365 application, ensure that the S3 file storage operates over the HTTPS protocol (uses TLS encryption). Reconfigure the S3 file storage to work over the HTTPS protocol before enabling TLS support in the ELMA365 application.

Конец внимание

  1. Specify in the connection parameters that the S3 storage server uses TLS encryption. To do this, set true in the db.s3.ssl.enabled parameter.

...
db:
  ...  
  ## connections settings for S3 file storage
  s3:
    method: PUT
    accesskeyid: PZSF73JG72Ksd955JKU1HIA
    secretaccesskey: aFDkj28Jbs2JKbnvJH678MNwiz88zKjsuNBHHs
    bucket: s3elma365
    backend:
      address: example.com
      region: us-east-1
    ssl:
      enabled: "true"
...

Step 3: Apply TLS parameters for ELMA365 Enterprise

Update the ELMA365 application parameters using the values-elma365.yaml configuration file. The parameter update takes between 10 to 30 minutes. Wait for the ELMA365 Enterprise application parameters to be updated.

Начало внимание

When performing parameter updates, you need to:

  1. Determine the chart version with which the ELMA365 application was installed or updated.
  2. Use the same chart version to apply the new parameters to avoid any adverse effects on the application's operability.

Конец внимание

For online updates

  1. Determine the chart version with which the ELMA365 application was installed:

helm show chart elma365/elma365

Example of command execution:

enable-tls-enterprise-1

The version of the chart with which the ELMA365 application was installed is specified in the version line. This value must be specified for the --version flag (replace <elma365-chart-version>).

  1. Update the parameters specifying the installed version of the ELMA365 application and using the configuration file values-elma365.yaml:

helm upgrade --install elma365 elma365/elma365 -f values-elma365.yaml --version <elma365-chart-version> --timeout=30m --wait [-n namespace]

For offline updates without internet access

Navigate to the directory with the downloaded ELMA365 chart and execute the command:

helm upgrade --install elma365 ./elma365 -f values-elma365.yaml --timeout=30m --wait [-n namespace]

enable-portable-services.html autoscaling-service-enterprise.html

Found a typo? Highlight the text, press ctrl + enter and notify us