Managing certificates with Vault
By default, the HCL Commerce Docker containers support the use of Vault as the certificate management system.
For more information about Vault, see Vault.
Internal certificates
For the internal certification between the HCL Commerce Docker containers, you must ensure that the Common Name (CN) in your certificate and "SubjectAlternativeName" can match the host name that the Docker containers will use. Also, when other source containers connect to a target container, the source container must use the target container's host name. There is strict verification logic in place to check whether the host name that is used in a request is the same as the SubjectAlternativeName in the certificate on the target container. If the host names do not match, then the connection fails.
SubjectAlternativeName [
DNSName: *
DNSName: app
DNSName: web
DNSName: search
DNSName: store
DNSName: tooling-web
DNSName: store-web
DNSName: query
DNSName: data-query
DNSName: ingest
DNSName: nifi
DNSName: registry
DNSName: elasticsearch
DNSName: zookeeper
DNSName: localhost
DNSName: search_master
DNSName: search_repeater
DNSName: search_slave
]
If you do not use the default host names then you need to reconfigure the connections between containers. To learn how to create your own certificates, see Managing certificates manually. Otherwise you can use Vault as the certificate authority (CA).
Configuring Vault to act as the certificate authority (CA)
selfserve_production_pki
' and PKI role as
'generate-cert
'. Assuming that you have Vault installed, unsealed, and an
environment that has a Vault client that can connect to the Vault server with the correct address
and token, you can complete the following steps to set up Vault as a CA.- Create a PKI type backend.
vault secrets enable -path=selfserve_production_pki -description="SelfServe Root CA" -max-lease-ttl=87600h pki
- Enable Vault PKI feature to act as the Certificate Authority (CA) organization to issue certificates.
- Run the command to create a Root CA Certificate.
vault write selfserve_production_pki/root/generate/internal common_name="selfserve_production_pki Root CA" ttl=87600h key_bits=4096 exclude_cn_from_sans=true
- Run the following command to create a role that will be used to
issue certification for each Docker container.
The command completes with a Success! Data written to: selfserve_production_pki/roles/generate-cert message.vault write selfserve_production_pki/roles/generate-cert key_bits=2048 max_ttl=8760h allow_any_name=true enforce_hostnames=false
- Run the command to create a Root CA Certificate.
- Verify whether you can get certification from
PKI.
You should receive a response similar to the following output.curl -sS -X POST -H "X-Vault-Token:<Vault_token>" -d "{\"common_name\":\"<common_name>\", \"ttl\":\"1344h\"}" http://<Vault_IP>:8200/v1/selfserve_production_pki/issue/generate-cert
Key Value --- ----- lease_id cuddletech_ops/issue/web_server/e03318f2-d005-8196-4ed5-a42f9cd55238 lease_duration 2591999 lease_renewable false certificate -----BEGIN CERTIFICATE----- MIIE7jCCAtagAwIBAgIUN+vXFuIf42v1SW+mDROUVAm+lUMwDQYJKoZIhvcNAQEL BQAwKTEnMCUGA1UEAxMeQ3VkZGxldGVjaCBPcHMgSW50ZXJtZWRpYXRlIENBMB4X DTE2MDcwOTA5MzE1N1oXDTE2MDgwODA5MzIyN1owIjEgMB4GA1UEAwwXc3NsX3Rl ... issuing_ca -----BEGIN CERTIFICATE----- MIIF5DCCA8ygAwIBAgIUdhJTQb4YmCyhUUr48L20o0R+dFkwDQYJKoZIhvcNAQEL ... private_key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEApBabDpPZIloRQUpro3tQEls0FEFvsvfraQzQJLD2dicSPZ2s CqYyT8OXMclrapG7KKTYp79AaTW8LgNg3WvCzoMGDfhLL9m0QomzrMDzoW8Q7iQO 1MV4f6JXjGMbOMMXatKQlO32fLZln8m+/yJ3pOW0S6uatFzZ/N3+ed+gDuUc7eAO ... private_key_type rsa serial_number 37:eb:d7:16:e2:1f:e3:6b:f5:49:6f:a6:0d:13:94:54:09:be:95:43 '''
Starting a container with VAULT_CA=true
TENANTENVIRONMENTENVTYPEcontainer_name.DOMAIN_NAME
pattern to apply certifications. With this mode, the host name is fixed. If you do
not provide a DOMAIN_NAME, the default is
default.svc.cluster.local.Starting a container with VAULT_CA=true and CONTAINER_HOSTNAME=customHostName
TENANTENVIRONMENTENVTYPE
.
When CONTAINER_HOSTNAME is passed, the start up logic
/SETUP/bin/updateCerts.sh applies the internal
certification based on the host name that you provide. For example, to start the
Store server Docker container with host name
mycustomstoredocker run -d -e LICENSE=accept \
-e SPIUSER_NAME=spiuser \
-e SPIUSER_PWD=<Your spiuser password that you encrypted with wcs_encrypt.sh>
-e VAULT_TOKEN=<vault_token > \
-e VAULT_URL=<vault_url. For example, http://IP:Port/v1> \
-e VAULT_CA=true \
-e CONTAINER_HOSTNAME=mycustomstore
<Store_Docker_Image>
External Certificates
For secure SSL communication between HCL Commerce and an external system, ensure that you are importing the proper certificates into your key store and trust store. Also ensure that your customization code references the correct certificate name for that communication. You can put your third party certificates in Vault to enable the updateCerts.sh configuration script to import any certificates into your key store automatically.
- Create a certificate bundle (certBundle) for your external certificate.Note: If the purpose of a certificate bundle that you are creating is to trust a certificate assigned for an external system, then only the issusing_ca must be specified. In this case the certificate and private_key values can be empty, or left out of the certBundle definition entirely.A certBundle is a JSON object containing a certificate, its private key, and the certificate authority (CA) certificate or certificate chain. An example of a certBundle is as follows.
{ "certificate": "certificate", "private_key": "private_key", "issuing_ca": "ca_certificates" }
The contents of the certificate bundle are as follows.- The certificate value holds the certificate,
in base64 PEM format, that should be assigned to the specified
HCL Commerce application server:
- The value of this certificate should be wrapped within
-----BEGIN CERTIFICATE-----\n
and-----END CERTIFICATE-----
lines of text. - The value of the certificate should only be one line of
text, and be concluded by an
\n
, to denote the end of line. - An example of the certificate value
is as
follows.
-----BEGIN CERTIFICATE-----\nMIIETDCCAjSgAwIBAgIUTrvpjzgpyt6L9AWj2E0W4ps2woswDQYJKoZIhvcNAQEL\nBQAwKzEpMCcGA1UEAwwgc2VsZnNlcnZlX3Byb2R1Y3Rpb25fcGtpIFJvb3QgQ0Ew\nHhcNMTcwOTI2MDQ1NzM3WhcNMTcxMTIxMDQ1ODA3WjAPMQ0wCwYDVQQDEwR0ZXN0\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuWgQ5P9KjpgplOyejAE\nj5pDgSmQ6mZkbqY6gnIIKlw1I4Vulaigmeiir37NcAHtLA9HrpqafKoQqt3RPIFq\nMq2qb728JUNqdkmgp1QRnXdRVqrvGxT3o6XLMmxpkniwL+f3A/qFzuBgDJVltKLn\n1e0O3conPiiGtqaZ70+1lccKkKviLoin13T+27gFFws6dT74znCxT8c/ikXGMja1\nTDEddd+qkXlo4At104Fo7Uhx95JWorSljSTaCQkEeOjX+8SJHkARSrKeGEvkBESp\nXD23oUY9MlxGQnldioLAI5Eu8fRo3PKQUhuFnuoxTr0pO7R60AEe8E0sVU/cE3Ut\nswIDAQABo4GDMIGAMA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcD\nAQYIKwYBBQUHAwIwHQYDVR0OBBYEFLfcxphP+aSe61Mdi8IDP7bBvGXdMB8GA1Ud\nIwQYMBaAFA2X7xP+NiXXNXhJy3UQqocENxRTMA8GA1UdEQQIMAaCBHRlc3QwDQYJ\nKoZIhvcNAQELBQADggIBAH3oLFPSSgubbwhXycm+oTMnEZyUwKfwAjkc2mykDZ/p\nPPrHZKCfMuWNf8mp7mK0K8O2JjBKbUlUUJZgd/8/9d0vLqU7Hf97Xk/8d0Rxwqgd\n2OmdujQpj49NFoAC+jAcGFXASwvGAzWg4ylTi+zvpUbVpLk0hOpYnJFvxEcXj0ab\nul9Mq0hrjarmkPAoDhmWjUQG8EKiJEelIv5r4OuNIDl+N5B3BNU+g8nz4GWJKIbP\n6dEb98GJh0tFqOHoxewVmrCmMnsGfJYJDqLg+CwXHSNS8xYQnuFzcJXQ4j7Kge5P\nCeMB6fizgTiUXFexjbTv6RUk1DfOywtRu7Wus9joTpDILb/WlIUlGvRj2j395BvK\naq5nLcgSpmO46776uobh6MN6se1kmpJ20sjUZWEtJsKODSAv7LA9jsMWhh1SGEWf\nUuQ1hUKHZ2073hgc0InmYGGyTJAnI3mYIbL+ddprK1CpORAH2cruqn9I192sCWNw\npZIxuMCiRUrFWitKEkFwPfmDbVhPQ/ZvxMcdAHXJ+ZQ9RxcanmcBGnlvCjidOBZa\naLN2/Y99M26z+XcYG9rN0fx5Htf4UDENQ8kp8TITmyHdwvqVox/UXcPWzV3MD7+I\nn0UdA2lqnM2Rv+kg2MGm0u9Y/noZz4IS4YTlfxMbGF212ROcCC9/oQYy321NqBns\n-----END CERTIFICATE-----
- The value of this certificate should be wrapped within
- The private_key value holds the private key
matching the certificate, and it is required to install the
certificate for the HCL Commerce application server:
- The value of this certificate should be wrapped within
-----BEGIN RSA PRIVATE KEY-----\n
and-----END RSA PRIVATE KEY-----
lines of text. - The value of the certificate should only be one line of
text, and be concluded by an
\n
, to denote the end of line. - An example of the certificate value
is as
follows.
-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAtuWgQ5P9KjpgplOyejAEj5pDgSmQ6mZkbqY6gnIIKlw1I4Vu\nlaigmeiir37NcAHtLA9HrpqafKoQqt3RPIFqMq2qb728JUNqdkmgp1QRnXdRVqrv\nGxT3o6XLMmxpkniwL+f3A/qFzuBgDJVltKLn1e0O3conPiiGtqaZ70+1lccKkKvi\nLoin13T+27gFFws6dT74znCxT8c/ikXGMja1TDEddd+qkXlo4At104Fo7Uhx95JW\norSljSTaCQkEeOjX+8SJHkARSrKeGEvkBESpXD23oUY9MlxGQnldioLAI5Eu8fRo\n3PKQUhuFnuoxTr0pO7R60AEe8E0sVU/cE3UtswIDAQABAoIBAB3kQ6An1K2NIvSs\nIzRTGru5k6TNfVDB8VIgOtnM90atEUY/7YXqLG1bFxOlnr/aoL+ds7J2tB8B0H2M\niUDhSdEEjyF6GgDhFspEWExgsgxRTuriPvfnIl4Nn7sa+tokfW8m8zkkPbBE/Y2w\n8RFnuoo9FzvqaSWAjBvX+LqjBWN4AGHxPcBcZs/H4U7RvdO0etX2Zbpjs62K/KO3\ni3e4MXgGZtj0Vx2LYD/AYSbqEoo1v8/U1AbGmsCTTNc2EwARhyb1zUgO7yc9yft6\nUoAC6pZjxOFsJtwz26jpNdqXz9t1xml3XnNusqHe+hgStQlIL2mgU8qj18q5pqpu\nkehM9LECgYEAxiU9WA7kQTp8hGKTRqrRbcGBsLTGxsYeILFQggtJBOZ5ngOH35Nd\nUIzQ1EjKODFEzGH9qPBBfE6BNdl3naHuYgIS3Uz8FCAwsOZAW6X8tC7VU/ZrwKUA\nF3Rc2iek+J1bdaz5o3hnR2eY/6kVuNHznxqIzK+JuZ7Dq/wEMlAL4gkCgYEA7Eyb\n4uyQFMXfPLiZPn7opNlgmi4i5lNLbPAjJq0dagdP8HbhLBqQThMcyAnu9rJmNm6t\n2Wu8kkKIpcZiGOVzFQvoTWOm6KGU/nIFFH1p6AAz/hvhATFA8HpLe9B7la9T6c5R\nabbtFbUNrHyoieMsIxkrjPo1zVIThLJeIVdoUNsCgYEAwuhKyV4MpSU06rxUhsTs\nsXwRaJLKnSiw5hPFT8ZuE0XrB8YNV52LwvphSRA46sF8HVeevxlmMTK/4wqBoSty\nZDIKAGoD5IAtpTU4xW4nf845xhe1spAb4PZzh5xLqMqQ9tYp0eVUImcDlyjp1x2e\n+TiOrFlXrqE/dOO39Q3MQpECgYEA5plMd4OMh/kiBcvQIOEQf+9zCoODo2od7U3b\nv96pGdPQ+0XIMJYrxUV5jO3EuhMXFH+mQMuW1tT/LWgQS2N/j0ZziTJ6rAMjt7vl\noT1SoQmxs4XZaqR6TzPJfibStBzJsx2Y7aWKcOijU3TDtOxxIj9p9MYowxoZ2iGH\nItp9/okCgYEAh6lbVbf77NArp1FsocQoeZ2ZL1hsOXpmRwpNmePPA6DfjqJyttpH\ngSh8Z0daqMvojStilhwIkEURy9ITuPYoKt2blWQY8RY//H1zFnwKg2AJR5PvlWcT\n0JBxt4cHMYy6jW2Q8/ZTVuttPd+UVIDehTFN6oyWF6FBgKxLO5bSjzc=\n-----END RSA PRIVATE KEY-----
- The value of this certificate should be wrapped within
- The issuing_ca value holds the certificate
authority (CA) certificate, or certificate authority certificate
chain, that are used to validate the certificate. For example,
if the certificate is signed by an intermediate CA certificate,
both the intermediate CA certificate and its root CA certificate
should be included within the issuing_ca
value.
- The value of this certificate should be wrapped within
-----BEGIN CERTIFICATE-----\n
and-----END CERTIFICATE-----
lines of text. - The value of the certificate should only be one line of
text, and be concluded by an
\n
, to denote the end of line. - An example of the issuing_ca value is
as
follows.
-----BEGIN CERTIFICATE-----\nMIIFJjCCAw6gAwIBAgIUDUnfHPvwqpztM2lJh40lVUmTjV8wDQYJKoZIhvcNAQEL\nBQAwKzEpMCcGA1UEAwwgc2VsZnNlcnZlX3Byb2R1Y3Rpb25fcGtpIFJvb3QgQ0Ew\nHhcNMTcwODI1MDUwNTEzWhcNMjcwODIzMDUwNTQzWjArMSkwJwYDVQQDDCBzZWxm\nc2VydmVfcHJvZHVjdGlvbl9wa2kgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD\nggIPADCCAgoCggIBAM5LpBH9Qyg5VjTkdMj61gt72CVIrqE5s9iD+Bpb2hlLnWdb\n52FtcgCxIRca8kJhCYK53dNVmCP8d7LSzogxdIHyzEe5f405ukJVZIbYEYcA4BLK\n3UU322bYJkTTToABwV+XhlHjLhaze9GLo4snCklxAzafWvqR1C0faB2dPtq5WyQi\n/2uCvGHcpqe/ozNvZON6eYkjQpCwHftR0TwVVb435hvJb6FeeV95MgVq/C0pZFG4\nGLgJNj4GK4BtG2wsIDVMMcaoFrSKfKDqyE+4ekvzYP4nDzbYK5XsgH7/7XB9tL7w\nwMVj0J1mR3TbxVTBZyk509F0oXqBcNb6vvybJevhDlkXMQPgxyOmogm6GUQ3beMX\nsRpN5uotnbWaF0MQbgo8YrgQX3BGrLmKRfk9rIMoBKabptDMRw5Df1ouu5D9Jb3b\n3nlelkRXR5qb0R68CM0S78KqVB32NQsLixQ58YUKmcvlQcaIF9cwC28+LYm4sRq/\nV0tCl68K19PmgZT+Qr0Apakw+vlQ8ojvT+/wTVtg+gphuG7Ovv00xRXa/dpoC3Ff\nOktxUmu3bh4YU/IVCT3+YbwB7vyOfKGTwSmVK+s5gt4MDM65zX58xa85psJI8mqP\nCwKGDleglrAIrHxxg2wKrIibiIriSnjJsKqCzpcm9+6V4zewwQFqdfr1R92rAgMB\nAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\nBBQNl+8T/jYl1zV4Sct1EKqHBDcUUzANBgkqhkiG9w0BAQsFAAOCAgEAYo+vaKzi\nW2YTogGvuDvWnFzDtRa6zfB1UNqUTiacmr9ISqTDGJPOE7o7+5//31yS63/VuPAb\nsskfjtbywGUcjLEoa//vqDUA5VPQSr2MGpqZItt+QQ7eIQPQEt6IaqohmIxvgyDI\nvV35Ld06slZju9IZJdOx5GyRU49ZrhTciNeHBFJbPTzTWw7swjP1Kj13BJ9++YlU\ndHHnJecMgRPXbbFn8cThcIUwhaTEWFhlC7zc4YUpTm8nmHaCLmG8TM7tYLaymHqd\nypMBa3TrGr4+XIgwkWWb9h9+JnlBXc+aq2pJulErzN3raytzv+iTOwcI+YCufgee\nAf25Zzk9t75KIHjSdqu1U/QXiPSgJgr7o2yrtZbeLT+eMHuhCfbuWduipuRgTlUk\na8hvoiFDabCrlJABDYHNO8WMCIqX9qja0crqA1JbPXAEMiYwdtoU+p27CtNupGVE\nQENamacyYD5VhApTnxACwwakMep0jDYQUXUYTeLz6Aj3vVUJl54/3Uqbh6fxKamh\n8xDeb+HjhO5UKDkfAH0qe17qSGGVftMI3YMPCEqrvnnoVl8VHxpvdVjjJoHEEKoE\ne8mrX4Jp9O3xVcGFItMQQzvWc1A47ewqIy6x+bk+0W8fL6+rKd+8U7aRIvC7LFiw\nluvq3QIacuHULtox36A7HFmlYDQ1ozh+tLI=\n-----END CERTIFICATE-----
- The value of this certificate should be wrapped within
- The certificate value holds the certificate,
in base64 PEM format, that should be assigned to the specified
HCL Commerce application server:
- Write the certBundle data to Vault.Important: Each certBundle must have a unique name. For example,
cert1
andcert2
.For example, the following curl command writes the contents of the certBundle, cert_bundle_json, to thecert1
definition under a specified tenant and environment.curl -sS -X POST -H "X-Vault-Token:<Vault_token>" -d "{\"value\":<cert_bundle_json>}" http://<Vault_IP>:8200/v1/<tenant>/<environment>/certs/cert1
- Specify which certBundle certificates should be deployed to each HCL Commerce application server.
This is done by updating the
certsBundle
definition on your specified tenant and environment, {tenant}/{environment}/certsBundle, with the following JSON object format.{ "value": { "tsapp": "cert1,cert2", "crsapp": "cert1,cert2", "searchapp": "cert1,cert2", "xcapp": "cert1,cert2", "storeapp": "cert1,cert2" } }
In this example, both certsBundle
cert1
andcert2
are deployed to, and applied within, five HCL Commerce application servers. - Deploy your HCL Commerce applications to apply the external
certificates.
Certificates will not be applied by the updateCerts.sh utility script without a deployment to trigger it.