forked from cryostatio/cryostatio.github.io
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(guides): update guide for trusted TLS certs (cryostatio#181)
- Loading branch information
1 parent
8312754
commit fe4f286
Showing
3 changed files
with
21 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,40 +1,35 @@ | ||
| ## [Add a Trusted Certificate](#add-a-trusted-certificate) | ||
| If you have Java Management Extensions **(JMX)** over `SSL` enabled on your containerized **JVMs**, you must configure **Cryostat** to trust the `SSL` certificate presented by the containerized **JVM** when **Cryostat** attempts to open a **JMX** connection. If you do not complete this configuration, **Cryostat** cannot open a **JMX** connection for the purposes of performing **JFR** management tasks. | ||
|
|
||
| Here's how to add a trusted `SSL` certificate with the **Cryostat Web** UI. | ||
| If you have Java Management Extensions **(JMX)** over `SSL` enabled on your containerized **JVMs**, you must configure **Cryostat** to trust the `SSL/TLS` certificate presented by the containerized **JVM** when **Cryostat** attempts to open a **JMX** connection. If you do not complete this configuration, **Cryostat** cannot open a **JMX** connection for the purposes of performing **JFR** management tasks. | ||
|
|
||
| <ol> | ||
| <li> | ||
| {% include howto_step.html | ||
| summary="Navigate to the <i>Security</i> Tab" | ||
| image-name="3.0.0/navigate-to-security.png" | ||
| text="Click the <i>Security</i> tab." | ||
| text="Click the <i>Security</i> tab. This should initially be in an empty state if you have not yet defined any additional trusted certificates." | ||
| %} | ||
| </li> | ||
| </ol> | ||
|
|
||
| In order to add a trusted certificate to Cryostat's custom truststore you must first determine the directory that Cryostat loads certificates from. | ||
| This is controlled by the configuration property `ssl.truststore.dir` and defaults to `/truststore`. If you are deploying Cryostat manually in an | ||
| environment like Podman or Docker Compose, you should create a volume containing the certificates and mount it to this location, or bind-mount a host | ||
| directory to this location. If you are using the Cryostat Helm Chart then you should create Secrets containing each trusted certificate and mount | ||
| each within this location. If you are using the Cryostat Operator, you should use the `.Spec.TrustedCertSecrets` `CR` property. | ||
|
|
||
| Once you have loaded your additional certificates to the truststore you must restart the Cryostat container, since it can only load certificates | ||
| into the JVM truststore at startup time. The container may be restarted automatically when you modify the configuration, depending on your deployment | ||
| platform. | ||
|
|
||
| After you have loaded the certificates and verified that the Cryostat container has restarted, you can verify that Cryostat correctly found the | ||
| certificate(s) within the truststore directory. | ||
|
|
||
| <ol> | ||
| <li> | ||
| {% include howto_step.html | ||
| summary="Upload the Certificate" | ||
| image-name="3.0.0/add-a-trusted-certificate-upload.png" | ||
| text=" | ||
| Click the <i>Upload</i> button on the <i>Import SSL Certificates</i> card. This action opens a file-upload dialog, where you can choose the certificate that you want to upload to <b>Cryostat</b>. You can repeat this process multiple times to add multiple trusted certificates. | ||
| " | ||
| summary="Navigate to the <i>Security</i> Tab" | ||
| image-name="3.0.0/navigate-to-security-with-certs.png" | ||
| text="Click the <i>Security</i> tab. The file paths of any additional trusted certificates you have added should appear in the list." | ||
| %} | ||
| </li> | ||
| <li> | ||
| Restart <b>Cryostat</b> to apply the changes. If you do not restart your <b>Cryostat</b> instance, the added certificates are not reloaded. This causes connections to fail because the <b>Cryostat JMX</b> client cannot trust the certificates. Depending on your deployment platform and configuration, restarting <b>Cryostat</b> might require any of the following: | ||
| <ul> | ||
| <li> | ||
| On <b>OpenShift/Kubernetes</b> with <b>Cryostat Operator</b>: | ||
| <pre>oc delete cryostat/<my-cryostat-cr-name><br>oc create -f <my-cryostat-cr-name>.yaml</pre> | ||
| </li> | ||
| <li> | ||
| On <b>OpenShift/Kubernetes</b> without <b>Cryostat Operator</b>: | ||
| <pre>oc rollout retry dc/<my-cryostat-dc-name></pre> | ||
| </li> | ||
| <li> | ||
| On <b>Podman</b>: | ||
| <pre>podman restart <my-cryostat-container-id></pre> | ||
| </li> | ||
| </ul> | ||
| </li> | ||
| </ol> |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.