Limiting Acceptance of Self-Signed Certificates for HTTPS Web Services

Overview

Workload Manager has the ability to initiate connections to web services via the HTTPS protocol. These web service calls are invoked in the following use cases:

Web service calls from Workload Manager to web sites that do not have a certificate authority signed certificate will succeed by default. As a CloudCenter Suite suite administrator, you can configure CloudCenter Suite to reject self-signed certificates but with exceptions for certain host:port combinations.  This is done by editing the Kubernetes configmap for the cloudcenter-manager pod.

Procedure

The procedure for allowing calls to only certain web services that use self-signed certificates is as follows.

  1. Install kubectl on your computer, download the CloudCenter Suite provided Kubeconfig file, then move the kubeconfig file to the directory specified in the $kubeconfig environmental variable. This allows you to connect to the CloudCenter Suite cluster with kubectl from you computer.
  2. From the command prompt of your computer, use kubectl to ensure your CloudCenter Suite instance has a configmap for the cloudcenter-manager pod:

    kubectl get configmaps -n cisco
  3. Once confirmed, use kubectl to launch your default editor to edit the cloudcenter-manager configmap:

    kubectl edit configmaps cloudcenter-manager -n cisco

    Your editor should display the configmap in edit mode to allow you to modify it:

    apiVersion: v1
    data:
      external.hosts: "hostA:portA"
    kind: ConfigMap
    metadata:
      creationTimestamp: 2018-12-19T15:31:04Z
      labels:
        app: cloudcenter-ccm-backend-5.0.0
        chart: cloudcenter-ccm-backend-5.0.0
        heritage: Tiller
        purpose: configuration
        release: workload-manager
      name: cloudcenter-manager
      namespace: cisco
      resourceVersion: "18309514"
      selfLink: /api/v1/namespaces/cisco/configmaps/cloudcenter-manager
      uid: 18c30efe-03a3-11e9-bd86-42010a80004a
  4. Using your editor:
    1. Edit the external.hosts property: Replace the default value with a comma separated list of host:port combinations of the services you want to allow enclosed in double quotes.
    2. Create a property called allow.self.signed.certs and set the value to "false". Insert this right after the external.hosts property.
    3. Save the file and exit your editor.



  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved