Securing the server communication to the object storage

Background

Some configurations require using an encrypted HTTPS connection to the object storage. In such cases, it is recommended to enable the trust between the agent, the server, and the object storage to increase both the security and the performance of the connectivity.

How to

When working with a cloud object storage such as Amazon S3, Google, Microsoft Azure, etc, it may be that your server is already configured to trust their public CA. Skip to step 5

If you are working with an on-premises storage device, it is assumed that the target object storage certificate was already signed with the organizational certificate authority (CA) and that CA needs to be added to the trusted certificate authorities file.

Follow these steps:

1) Upload the organizational CA cert file to the management server in PEM format.

2) Clone a trust store from within the container using this command:

docker cp model9-v2.x.x:/opt/java/openjdk/lib/security/cacerts $MODEL9_HOME/keys/cacerts

3) Import the storage certificate into the trust store as a trusted certificate.

keytool -import -trustcacerts -keystore /data/model9/keys/cacerts -storepass changeit -noprompt -alias rootCA -file '/path/root CA file'

In case you are asked the question 'Trust this certificate?' answer 'YES'

4) Add this line to the model9.env file:

CATALINA_OPTS="-Djavax.net.ssl.trustStore=/model9/keys/cacerts"

5) Add this to the model9-local.yml file:

model9.objstore.endpoint.no.verify.ssl:false

6) Stop and remove the container:

docker stop model9.v2.x.x

docker rm model9.v2.x.x

7) Start the container using the docker run command located in the Installing the Model9 Management Server section

Last updated