Configuring BSUS for TLS encryption - Adaptive Applications - BlueCat Gateway - 23.1

BlueCat Server Update Services Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.1

As of version 22.1, BSUS will use TLS (Transport Layer Security) 1.2 encryption when communicating with BDDS servers and optionally between BSUS docker containers. These communications require the use of security certificates. They also require an additional port (10046) to be opened between BSUS and the BDDS servers it manages.

  • BSUS will always attempt to use encrypted communications with the BDDS servers it manages. If encrypted communications fail, it will fall back to unencrypted communication.

  • By default, BSUS will also use TLS 1.2 encryption when communicating between BSUS docker containers. You can change this by setting USE_TLS in the .env file to false. (This setting does not affect communications between BSUS and BDDS servers, which will always attempt to use encrypted communications if possible.)

    Tip: If you don't set up a customized set of .pem, .crt, and .key files, BSUS will use a built-in set of certificates.

    For more details on the .env file, see Installing BlueCat Server Update Services.

To set up customized certificates for BSUS to use for TLS 1.2 encryption:
  1. Prepare the following six certificate files based on the CA (certification authority) certificate and the server certificate. Generate the certificates using your oganization's standard security practices:
    • cacertfile.pem: The CA (certification authority) certificate as a PEM file.
    • certfile.pem: The server certificate as a PEM file.
    • keyfile.pem: The server key as a PEM file.
    • ca.crt: The CA (certificate authority) certificate as a CRT file.
    • certfile.crt: The server certificate as a CRT file.
    • keyfile.key: The server key as a KEY file.
  2. Locate the certificates folder on the main BSUS container:
    1. On the docker container with BSUS, identify the volume with the certificates. Typically, this volume will be named <directory name>_certs.

      For example, by default, the directory name within the docker-compose.yml file is dist. As such, the certificates folder you're looking for is typically named dist_certs.

    2. Inspect the certificates volume (use the docker inspect command, such as docker inspect dist_certs). Locate the value of the host system's mount point, identified with the "Mountpoint" parameter. This will be another directory on your system, where certificates should be stored. For example:
      [
          {
              "CreatedAt": "2022-03-08T10:10:27-05:00",
              "Driver": "local",
              "Labels": {
                  "com.docker.compose.project": "dist",
                  "com.docker.compose.version": "1.27.4",
                  "com.docker.compose.volume": "certs"
              },
              "Mountpoint": "/var/lib/docker/volumes/dist_certs/_data",
              "Name": "dist_certs",
              "Options": null,
              "Scope": "local"
          }
      ] 
  3. Navigate to the certificates folder that you identified and upload your six certificate files into that directory.

    Note: You might require root access to work with this directory.
  4. Make sure that port 10046 is open for encrypted communications between BSUS and BDDS servers.

    For more details, see Port requirements.