Skip to content

Secure the PLOSSYS 5 Services

For security reasons, we strongly recommend configuring the TLS encryption and regenerating the client secret in the OIDC identity provider.

Configure the TLS Encryption

  1. For securing the connections between the services on the server, the certificate has to contain localhost for self-signed certificates and the Consul-specific server name (for example, <hostname>.node.dc1.consul) for any certificate, see the Requirement.

  2. After the Secure PLOSSYS Administrator step, the certificate files are already located in /opt/seal/etc/tls. You have to specify the directory only:

    • TLS_DIR Directory for storing the files necessary for secure transfer within the PLOSSYS 5 services.

    Example - setting key via PLOSSYS CLI

    plossys config set TLS_DIR "/opt/seal/etc/tls" --insecure

!!! hint "Hint - min TLS version"

    To set the minimum TLS protocol version to be used between services, use the [`TLS_MIN_VERSION`](../../reference/keys/service_keys.md#tls_min_version).
  1. Restart PLOSSYS 5.

Configure the TLS Encryption in a Cluster

If you are running PLOSSYS 5 in a cluster, execute the configuration steps above on all PLOSSYS 5 servers.

Regenerate the Client Secret in the OIDC Identity Provider

  1. In the OIDC identity provider, regenerate the secret for the seal-plossys-cli client, refer to the SEAL Interfaces for OIDC documentation.

  2. For the PLOSSYS CLI call, specify the regenerated client secret in the following Linux environment variable:

    • AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossycli client.

Next Step

Continue with: Secure Consul

Back to top