As of version 22.1, BSUS will use TLS (Transport Layer Security) 1.2 encryption when communicating with BDDS servers and optionally between BSUS docker containers. These communications require the use of security certificates. They also require an additional port (10046) to be opened between BSUS and the BDDS servers it manages.
BSUS will always attempt to use encrypted communications with the BDDS servers it manages. If encrypted communications fail, it will fall back to unencrypted communication.
By default, BSUS will also use TLS 1.2 encryption when communicating between BSUS docker containers. You can change this by setting
USE_TLS
in the.env
file tofalse
. (This setting does not affect communications between BSUS and BDDS servers, which will always attempt to use encrypted communications if possible.)Tip: If you don't set up a customized set of.pem
,.crt
, and.key
files, BSUS will use a built-in set of certificates.For more details on the
.env
file, see Installing BlueCat Server Update Services.
-
Prepare the following six certificate files based on the CA (certification authority) certificate and the server certificate. Generate the certificates using your oganization's standard security practices:
cacertfile.pem
: The CA (certification authority) certificate as a PEM file.certfile.pem
: The server certificate as a PEM file.keyfile.pem
: The server key as a PEM file.ca.crt
: The CA (certificate authority) certificate as a CRT file.certfile.crt
: The server certificate as a CRT file.keyfile.key
: The server key as a KEY file.
- Locate the certificates folder on the main BSUS container:
- On the docker container with BSUS, identify the volume with the
certificates. Typically, this volume will be named
<directory name>_certs
.For example, by default, the directory name within the
docker-compose.yml
file is dist. As such, the certificates folder you're looking for is typically nameddist_certs
. - Inspect the certificates volume (use the
docker inspect
command, such asdocker inspect dist_certs
). Locate the value of the host system's mount point, identified with the"Mountpoint"
parameter. This will be another directory on your system, where certificates should be stored. For example:[ { "CreatedAt": "2022-03-08T10:10:27-05:00", "Driver": "local", "Labels": { "com.docker.compose.project": "dist", "com.docker.compose.version": "1.27.4", "com.docker.compose.volume": "certs" }, "Mountpoint": "/var/lib/docker/volumes/dist_certs/_data", "Name": "dist_certs", "Options": null, "Scope": "local" } ]
- On the docker container with BSUS, identify the volume with the
certificates. Typically, this volume will be named
Navigate to the certificates folder that you identified and upload your six certificate files into that directory.
Note: You might require root access to work with this directory.-
Make sure that port 10046 is open for encrypted communications between BSUS and BDDS servers.
For more details, see Port requirements.