Force all your ACE flows to use SSL using the App Connect Operator

By Dominic Storey posted Mon November 01, 2021 10:57 AM

Like

A handy feature of the ACE Integration Server is the ability to force all the flows which are running on the Integration Server to be exposed as HTTPS SSL flows. This allows you to be sure that you are not exposing any unencrypted HTTP public endpoints to your service.

To achieve this you need to set spec.forceFlowHTTPS.enabled = true and to set spec.forceFlowHTTPS.secretName to a kube secret which contains the private key (tls.key) and certificate (tls.crt) you want to use. You also need to be using operand 12.0.1.0-r4 or later.

Example of forceFlowHTTPS settings

There are several methods you can use to create your tls.key and tls.crt, here is an example of creating a self signed SSL Certificate using OpenSSL.

Generate a CA private key

$ OpenSSL genrsa -out tls.key 2048

Create a self-signed certificate, valid for 365 days.

$ openssl req -x509 \
  -new -nodes  \
  -days 365 \
  -key tls.key \
  -out tls.crt \
  -subj "/CN=yourdomain.com"

Once the tls.key and tls.crt are created you can then create the kube secret using the following command.

$ kubectl create secret tls my-tls-secret \
--key tls.key \
--cert tls.crt
secret "my-tls-secret" created

or you can create this directly on your Red Hat Open Shift system by creating a Key/value secret...

The secret you have created and then specified in your Integration Server Custom Resource will be mounted by your Integration Server and the tls.key and tls.crt specified in the secret will then be used to create a password encrypted https-keystore.p12 for you. Your server.conf.yaml will also be updated to have the correct HTTPSConnector entries as shown below.

During the Integration Server startup you can see the configuration of the HTTPSConnector as well as the watch being setup so that if you change your tls.key and tls.crt the new certs will be picked up and used without the need to restart your Integration Server pod. One message will use the previous https-keystore.p12, this will be dynamically recreated and then the next message through will use the newly minted https-keystore.p12.

Your API traffic will now only be exposed on HTTPS route and on port 7843 from your Integration Server container.

ACE Certified Container Integration Server Reference:
https://www.ibm.com/docs/en/app-connect/containers_cd?topic=resources-integration-server-reference

ACEv12 HTTPS Flow configuration:
https://www.ibm.com/docs/en/app-connect/12.0?topic=ssl-configuring-httpinput-httpreply-nodes-use-https
https://www.ibm.com/docs/en/app-connect/12.0?topic=messages-working-http-flows

0 comments

49 views

App Connect