Powered by Algolia

    Configuring HTTPS on Docker

    A first step in securing your deployment is to enable HTTPS in your docker installation. You will need to follow the process described below. The highlevel steps include:

    • Generate a certificate from you CA. (You can use a use a self-signed if this is a non-production environment).
    • Deploy the certificate
    • Restart OpenIAM
    • Validate that the https works

    Generate a certificate

    From your CA, please generate a certificate for your deployment. You will need the follow:

    • Key file
    • Certificate file
    • SSL certificate chain file or SSL CA File

    Update rProxy user access

    The rProxy Docker container runs as user rproxy with uid = 75001 in the Docker container. Since the rproxy Docker container is not running as root, it has no access by default to the /opt/openiam/httpd directory. To configure access to it:

    • The user 'rproxy' with uid = 75001 should be created on the host machine
    • The directory: /opt/openiam/httpd directory should be configured to have read access for user 'rproxy'.

    The rproxy Docker container can then map directories under /opt/openiam/httpd to Docker volumes and use certificates and keys stored there.

    sudo groupadd -g 75001 rproxy
    sudo useradd --shell /sbin/nologin -u 75001 -g 75001 rproxy

    Create the folders to deploy the certificate on the OpenIAM host

    By default, the certificates and keys are stored in the /opt/openiam/httpd/ssl-certs and the /opt/openiam/httpd/ssl-keys respectively. This location is defined in the openiam-docker-compose/3.2/rproxy-ssl/docker-compose.yaml file. Unless, you change this location, the certificates and keys must be in these two folders.

    Create the required certificate folders using the steps described below:

    sudo mkdir /opt/openiam
    sudo mkdir /opt/openiam/httpd
    sudo mkdir /opt/openiam/httpd/ssl-certs
    sudo mkdir /opt/openiam/httpd/ssl-keys
    

    sudo chown -R rproxy /opt/openiam/httpd
    sudo chmod -R 755 /opt/openiam/httpd/ssl-certs
    sudo chmod -R 700 /opt/openiam/httpd/ssl-keys

    Deploy the certificate

    Next copy the certificate files to the appropriate directories. If you are using the above defaults.

    Update OpenIAM configuration

    The use the certificates and to enable https, please update the following variables in the openiam-docker-compose/env.sh.

    Variable NameDescription
    OPENIAM_RPROXY_HTTPSet this to 0 enable HTTPS. Set it to 1 to disable https
    OPENIAM_SSL_CERTName of the cert file; ie. mycert.crt Do not include the path
    OPENIAM_SSL_CERT_KEYName of the key file; ie. mycert.key Do not inclue the path.
    OPENIAM_SSL_CAName of the SSL CA certificate. This file should be in the same folder as the cert file.

    In a multi-node environment, copy these files to other Docker nodes in the same directories too. Or, configure the /opt/openiam/httpd directory so that it can be accessed from multiple nodes.

    For these changes to take effect, you need to re-start OpenIAM. Use the ./shutdown.sh and ./start.sh utilities on the docker compose directory as you did during the installation process. Ensure that all services have stopped before re-starting.

    Validating the configuration

    There are several way to validate that your configuration for enabling SSL is working correctly. These are described below.

    Inspect the rProxy container

    Get the container ID of the rProxy by running the following

    docker ps | grep rproxy

    Use the container ID from the output to check the Apache webserver and rProx logs:

    docker logs -f [container id]

    Use the container ID in conjunction with the docker inspect to validate that our certificate directories have been mounted. 

    docker inspect [container id]

    You will a section that looks similar to this:

    "Mounts": [
                {
                    "Type": "bind",
                    "Source": "/opt/openiam/httpd/ssl-certs",
                    "Destination": "/opt/openiam/httpd/ssl-certs",
                    "Mode": "",
                    "RW": true,
                    "Propagation": "rprivate"
                },
                {
                    "Type": "bind",
                    "Source": "/opt/openiam/httpd/ssl-keys",
                    "Destination": "/opt/openiam/httpd/ssl-keys",
                    "Mode": "",
                    "RW": true,
                    "Propagation": "rprivate"
                }

    Testing using Curl

    You can test the https URL using curl as shown below

    curl -k https://localhost/idp/actuator/health

    If https is enabled, you will see a command similar to the one shown below.

    {"status":"UP"}[root@iam-docs openiam-docker-compose]

    From the browser

    The final validation is the access the OpenIAM application from the UI using either one of the following application URLs:

    https://[host name]/webconsole
    https://[host name]/selfservice

    If this is this the first time that you are logging using SSL, then the system will ask you the set another content provider. Configure it as you did during the installation process, except ensure that the Is SSL? is set to Yes as shown in the image below.

    Content provider with SSL

    Previous
    Deploying via Docker
    Next
    Configuration options