Enabling TLS authentication between AMI Manager and Docker
Use one of these procedures to enable TLS for communication between AMI Manager and Docker.
Before you begin
- To configure TLS, you need a digital certificate. You should have obtained or generated one before you installed. See TLS Authentication for more details.
- If you do not have OpenSSL installed, install it before proceeding.
To implement a certificate issued by a Certificate Authority (CA)
- Use the following command to generate a key.openssl genrsa -out <server>.key 2048
- Use the key you generated in the previous step to request a CA certificate.
- Use one of the following commands to extract the .cer file. Replace < certificate > with the name of your certificate:
- For PKCS #7: openssl pkcs7 -print_certs -in <certificate>.p7b -out <certificate>.cer
For PKCS #12: openssl pkcs12 -in <certificate>.pfx (or .p12) -out <certificate>.cer -nodes
- Use the following command to convert the certificate you created in the previous step (<certificate>.cer)to X.509 format.openssl x509 -in <certificate>.cer -outform PEM -out <certificate>.crt
- Proceed with Importing the certificate to the truststore.
To implement a self-signed certificate
Create a configuration file < openssl > .cnf similar to the following:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = <myCountry>
countryName_default = <myCountry>
stateOrProvinceName = <myProvince>
stateOrProvinceName_default = <myProvince>
localityName = <myLocality>
localityName_default = <myLocality>
organizationName = <Org>
organizationName_default = <Org>
organizationalUnitName = <myOrgUnit>
organizationalUnitName_default =<myOrgUnit>
commonName = <hostName>
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <hostname>
DNS.2 = *
DNS.3 = *.com
DNS.4 = *.*.com
DNS.5 = *.*.*.com
DNS.6 = *.*.*.*.com- Use the following command to generate a key:openssl genrsa -out <server>.key 2048
- Use the following command to create a Certificate Signing Request (CSR).openssl req -new -out <server>.csr -key <server>.key -config <openssl>.cnf
- Use the following command to create a certificate using the key and CSR that you created in the previous steps.openssl x509 -req -days 3650 -in <server>.csr -signkey <server>.key -out <server>.crt -extensions v3_req -extfile <openssl>.cnf
- Proceed with Importing the certificate to the truststore.
Importing the certificate to the truststore
- Copy your X.509 certificate file to the system where AMI Manager is installed.
- Run the following command on the system where AMI Manager is installed:
keytool -import -trustcacerts -keystore <full path to your truststore file> -storepass changeit -noprompt -alias < alias name > -file <full path to certificate file>
Starting Docker with the new certificate
- Copy your X.509 certificate and key files to the system where Docker is installed.
If the docker container was already running. run the following commands to stop and remove the Docker container.docker stop <my_container>
For example: docker stop amioi-server
docker rm <my_container>
For example: docker rm amioi-server
- Use one of the following commands to start Docker using your certificate.
On Linux, run the following command:./container-shell-lpqmb1.2.00.sh u=< EPD_Username > p=< portNumber > crt=< crtFilePath > key=< keyFilePath >
For example: ./container-shell-lpqmb1.2.00.sh u=somebody p=99999 crt=certificate.crt key=private.key
On zCX, run the following command:./run.sh crt=<crtFilePath> key=<keyFilePath>
For example: ./run.sh crt=certificate.crt key=private.key
- Restart AMI Manager.