Configuring Transport Layer Security (TLS)
You must do the following to configure Unravel with TLS:
All the certificates are stored in data/certificates
by default.
Configuring Truststore
You must add the certificate to the Truststore and then enable the Truststore. The following certificate formats are supported:
PEM (.pem)
JKS (.jks)
PKCS12 (pkcs12, .p12, .pfx)
Adding certificate to the Truststore
Multiple certificates can be passed through trust add command, and it can also be called multiple times. All the calls will add the certificates to the trust store. By default, the store is located at data/certificates/trusted_certs.pem
and trusted_certs.pkcs12
In case the chain of trust cannot be established for a given certificate, the missing parts of the trust chain can be added to the Truststore.
Run the following steps from the manager tool to add certificates to the Truststore:
Step No. | Command |
---|---|
Step 1 Autodetect file format based on the extension. | manager config tls trust add |
Step 2 Force the uploading of certificate (pem/jks/pkcs) files. | manager config tls trust add --pem |
manager config tls trust add --jks | |
manager config tls trust add --pkcs12 |
Enabling/Disabling the Truststore
The trust store can be enabled or disabled without affecting the list of trusted certificates.
Run the following from the manager tool:
manager config tls trust
<enable|disable>
After enabling/disabling the Truststore, stop Unravel.
manager stop
Refresh the files and then start Unravel again.
manager refresh files manager start
Configuring Unravel UI to use TLS
Unravel UI can be configured to use TLS. You must set the key and certificate files and then enable TLS for the UI. The supported certificate and key formats are as follows:
PEM (.pem)
Note
The key and certificate should be in separate files to avoid the validation error.
JKS (.jks)
PKCS12 (pkcs12, .p12, .pfx)
Setting key and certificate
Run the following steps from the manager tool to upload the key and certificate:
manager config tls set /path/to/key.pem /path/to/certificate.pem --key-password <password>
Note
When the set command is called for multiple times, the key and certificate provided on the last call is used.
Enabling/Disabling TLS for Unravel UI
TLS can be enabled or disabled without affecting the list of trusted certificates.
Run the following from the manager tool:
manager config tls
<enable|disable>
After enabling/disabling TLS, stop Unravel.
manager stop
Refresh the files and then start Unravel again.
manager refresh files manager start
Verifying key and certificate
You can verify the Truststore as well as the TLS configuration by running the following command from the manager tool:
manager verify tls