Enable TLS Secured Communication
danger
This feature is not fully released yet!
We strongly recommend to test this feature in testing environments and do not deploy to production environments yet.
Currently Supported Data Services
- a9s Messaging
- a9s PostgreSQL
- a9s Redis
- a9s LogMe
- a9s MongoDB
- a9s MariaDB
- a9s PG (
postgresql-backup-endpointonly)
New Data Services
We have created Ops-files to insert all BOSH properties and TLS certificates to the respective data service deployment manifest.
To change the manifest with the plain-text (HTTP) requests to the TLS secured ones (HTTPS), you only need to apply the Ops-file when deploying the Data Service.
The default duration for the TLS certificates is 365 days. If you don't want to rotate the certificates every 365 days, you can increase the duration in the Ops-files.
Example:
# a9s Messaging
bosh deploy rabbitmq-service/rabbitmq-service.yml -o ops/tls_configurations/a9s-messaging/add_certificates_and_properties.yml
# a9s PostgreSQL
bosh deploy postgresql-service/postgresql-service.yml -o ops/tls_configurations/a9s-postgresql/add_certificates_and_properties.yml
Existing Data Services
If you have already existing Data Services, you can simply apply the corresponding Ops-file as described above. But please keep in mind that this Ops-file overwrites specific BOSH properties with placeholders.
In this case, you must deploy the new Data Service manifest with the parameter -l. This parameter enables you to provide the IaaS config (anynines-deploymnent/config/iaas-config.yml.example):
bosh -d [Deployment_Name] deploy [Deployment_Manifest] -l [Path_to_IaaS_config] --no-redact
Please refer to the configuration for further instructions.