Hardening The Deployment

To harden the demo deployment there are a number of steps to follow. The documentation below requires modifying the configuration of the Helm charts installed by following the Manual Install steps or running the deploy.sh script. To obtain the installed configuration for each installed Helm chart, run the following commands:

$ helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-backend > keysafe5-backend-values.yaml
$ helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-ui > keysafe5-ui-values.yaml
$ helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-istio > keysafe5-istio-values.yaml

Documentation for each configurable value in the Keysafe 5 Helm charts can be found by untarring the chart.tgz and viewing the contents of either README.md or the default values.yaml file.

Certificates

The Manual Install steps and deploy.sh script will generate and install a number of short-lived demo certificates. These must be replaced to continue using the system.

Your certificates will need to adhere to X.509 v3, sometimes known as a multiple-domain certificates, or SAN certificates. The X.509 extension Subject Alternative Name (SAN) allows specifying multiple hostnames, and has replaced Common Name as the source of the hostname.

External Keysafe 5 Server TLS Certificate

To update the TLS certificate used for the Keysafe 5 Server (for HTTPS connections to the REST API or User Interface) you must create a Kubernetes Secret containing the new certificate/private key and redeploy the keysafe5-istio Helm chart.

For more information on enabling HTTPS for helm-keysafe5-istio, see the Helm Chart Installation section of the Installation Guide.

The Manual Install steps and deploy.sh script will create a Kubernetes Secret called keysafe5-server-credential. You can either delete the existing Secret as shown below, or use a different name for the Secret containing your new TLS certificate.

$ kubectl --namespace istio-system delete secret keysafe5-server-credential

$ kubectl --namespace istio-system create secret tls keysafe5-server-credential \
  --cert=path/to/cert/file \
  --key=path/to/key/file

Before running helm upgrade, set the following values in your keysafe5-istio-values.yaml:

  • httpsEnabled=true

  • tls.existingSecret=keysafe5-server-credential (or the name you used when creating the Kubernetes Secret containing your certificate/private key)

$ helm upgrade --install keysafe5-istio \
  --namespace=nshieldkeysafe5 \
  --values keysafe5-istio-values.yaml \
  --wait --timeout 1m \
helm-charts/nshield-keysafe5-istio-1.1.1.tgz

Internal Certificates

The Manual Install steps and deploy.sh script installs Keysafe 5 using TLS for the communications between the central platform and MonogDB/RabbitMQ.

You can refresh these internal certificates by running the updateinternalcerts.sh script, specifying the number of days the new certificates will be valid for.

The updateinternalcerts.sh script must be run from a directory containing the Keysafe 5 Helm charts (for example, from the root directory of the untarred Keysafe 5 package).

If an error occurs during certificate update you can restore the previous setup by rolling back Helm chart installations to a previous release, see Helm Chart Upgrade in the Upgrade section of the Installation Guide.

MongoDB TLS Certificates

The Manual Install steps and deploy.sh script installs the Bitnami MongoDB Helm chart with TLS enabled for the connections between Keysafe 5 and the MongoDB server and also with TLS used for authentication. These certificates will initially be valid for 30 days from the time the process was run.

You can refresh the MongoDB certificates by running the updateinternalcerts.sh script, specifying the number of days the new certificates will be valid for.

$ updateinternalcerts.sh mongodb 365

This script will:

  • Generate the new TLS certificates

  • Update the MongoDB helm chart to use the new certificates

  • Update the keysafe5-backend helm chart to use the new certificates

RabbitMQ

The Manual Install steps and deploy.sh script installs the Bitnami RabbitMQ Helm chart with TLS enabled.

You can refresh the RabbitMQ certificates by running the updateinternalcerts.sh script, specifying the number of days the new certificates will be valid for.

$ updateinternalcerts.sh rabbitmq 365

This script will:

  • Generate the new TLS certificates

  • Update the RabbitMQ helm chart to use the new certificates

  • Update the keysafe5-backend helm chart to use the new certificates

  • Output a new agent-config.tar.gz that contains the agent configuration file and TLS certificates for authentication to RabbitMQ

You will need to update your client machines with a Keysafe 5 agent installed to use the updated config and restart the agent so that the new configuration is applied.

$ sudo tar xf agent-config.tar.gz -C /opt/nfast/keysafe5/
$ /opt/nfast/scripts/init.d/keysafe5-agent restart

Authentication

If you chose to install the demo deployment without authentication you should enable authentication for accessing the Keysafe 5 REST API and User Interface.

For how to configure authentication for the KeySafe 5 REST APIs see Helm Chart Installation: helm-keysafe5-istio authentication in the Installation Guide.

To update the keysafe5-istio Helm chart installed by the demo deployment, set the following values in keysafe5-istio-values.yaml.

  • requireAuthn=true

  • issuer[0].authIssuer="https://foobar.auth0.com"

  • issuer[0].authJWKsURI="https://www.googleapis.com/oauth2/v1/certs"

  • issuer[0].authAudiences[0]="https://keysafe5.location"

Then run helm upgrade.

$ helm upgrade --install keysafe5-istio \
  --namespace=nshieldkeysafe5 \
  --values keysafe5-istio-values.yaml \
  --wait --timeout 1m \
helm-charts/nshield-keysafe5-istio-1.1.1.tgz

To update the keysafe5-ui Helm chart installed by the demo deployment, set the following values in keysafe5-ui-values.yaml:

  • authMethod=oidc

Untar the chart and copy your OIDC provider config file (OIDCProviders.json) into the config directory:

For more details on how to populate OIDCProviders.json and how to configure authentication for the Keysafe 5 User Interface see Helm Chart Installation: Configure UI authentication in the Installation Guide.

$ tar -xf helm-charts/nshield-keysafe5-ui-1.1.1.tgz -C helm-charts
$ cp my-oidc-provider-config.json helm-charts/nshield-keysafe5-ui/config/OIDCProviders.json

Then run helm upgrade:

$ helm upgrade --install keysafe5-ui \
  --namespace=nshieldkeysafe5 \
  --values keysafe5-ui-values.yaml \
  --wait --timeout 3m \
helm-charts/nshield-keysafe5-ui

K3s

If not using your own Kubernetes cluster, the deploy.sh script will create one using K3s. To harden this K3s install follow the official documentation at K3s Hardening Guide.

The deploy.sh script installs K3s with traefik and metrics-server explicitly disabled.