Open DerekRoberts opened 4 months ago
webgismd
commented
4 months ago https://apps.nrs.gov.bc.ca/int/confluence/display/AR/Automation+of+TLS+Certificates+for+Websites -- we could also take this up with OCIO security team .. lead by Jesse Piccin
mishraomp
commented
4 months ago hopefully we have a good automated solution from OCIO, it has been a real PAIN
DerekRoberts
commented
4 months ago @mishraomp @webgismd I strongly suspect we're solving this ourselves.
Via @webgismd:
[12:27 PM] Douville, Michelle R WLRS:EX re: SSL Certs & vanity urls (but not related to the cert we were talking about on the call for encrypted listeners to oracle!) so many docs and outdate docs and threads and confluence pages and manual and not so manual maybe specs..
re: SSL Certificates https://stackoverflow.developer.gov.bc.ca/questions/172/176 (steps 1 is not required for NRIDS? steps 2 is different for non-NRM apps, steps 3 and 4 are slightly different now I think) *(we are working on this now for forestclient-tst.nrs.gov.bc.ca).
https://www2.gov.bc.ca/gov/content/governments/services-for-government/service-experience-digital-delivery/digital-delivery/web-property-process is required and your Ministry GDX contact should be notified and approve the new domain url name. Create and setup DNS for a custom URL -- NRIDS Infra team does this for us not via ServiceNow or iStore but an INFRA ticket see below Usually done by your Ministries Information branch or someone who does orders via istore and/or ServiceNow. https://ociomysc.service-now.com/sp?id=ocio_sr_kb_article_view&sysparm_article=KB0031620&sys_kb_id=c66a12a8db4c0510fa8619381396197f&spa=1 You will need to get them to point the new dns entry to IP based on the cluster your app is hosted (SILVER,GOLD or GOLDDR). the network information can be found here, it is a IDIR-protected link, please login with IDIR to access the information. https://digital.gov.bc.ca/cloud/services/private/internal-resources/topology/ (this is done via INFRA-22467 type tickets) Order SSL certificate associated with the Vanity URL NRIDS has a different process -- there some handy shake file exchange with the Infrastructure Team and cost coding I can provide too. -- see https://apps.nrs.gov.bc.ca/int/jira/browse/SD-96171 (think what has changes since last summer is Entrust no long supports certbot) and the process is quite manual to generate the SSL cert .. annually. Install certificate in Openshift -- look up route documentation for openshift. - there are a few examples FOM being one *but it might need to be updated -- https://stackoverflow.developer.gov.bc.ca/questions/239/241#241 provides a OC CLI approach once you have the .crt file manually generated from step 3.