davco01a
commented
4 years ago Had useful discussion with Operator team, they will automatically configure this for the CLI service, the server.xml for the CLI service ( copied in by Docker file ) will have to be updated to reference this new key:
<keyStore id="kabaneroLanding"
password="changeit"
location="/etc/tls/secrets/java.io/landingpage/keystores/keystore.p12"
type="PKCS12"/>
<ssl id="defaultSSLConfig" keyStoreRef="kabaneroLanding" trustDefaultCerts="true" sslProtocol="TLSv1.2"/>
The CLI / REST service Route currently uses tls.termination: passthrough. We think it should be reencrypt , because if every service (landing, cli, what else?) uses passthrough they would each have unique certificate requirements.
Or, if customers require choice of passthrough, reencrypt, or edge then we need to know that as well.
These security choices should be made at install time for Kabanero as part of overall security strategy and not as a unique experience for the CLI / REST service