Skip to content

Secure the SEAL Operator Services


For security reasons, SEAL Systems strongly recommends configuring the TLS encryption. This is also one step to get rid off the annoying certificate warnings in the browser.


Configure the TLS Encryption

  1. Get a TLS certificate in PEM format, see the Requirement.

  2. Replace the following file containing the private key:

    /opt/seal/etc/tls/key.pem
    
  3. Replace the following file containing the public certificate:

    /opt/seal/etc/tls/cert.pem
    
  4. Configure the path to the directory containing the certificate files.

    env:
      service:
        any:
          tag:
            any:
              TLS_DIR: '/opt/seal/etc/tls'
    
  5. If the self-signed certificates are used, the following key has to be set to 0:

    env:
      service:
        any:
          tag:
            any:
              NODE_TLS_REJECT_UNAUTHORIZED: '0'
    

    Caution - security gap

    Setting NODE_TLS_REJECT_UNAUTHORIZED to 0 in a productive system is a serious security gap! Only use it for test purposes!

    Hint - certificate

    Unless NODE_TLS_REJECT_UNAUTHORIZED is set to 0 or specified at all, the certificate has to contain the correct IP address or hostname since this is used for the authorization check.

  6. Restart SEAL Operator


Specify a CA Certificate (Unnecessary in Most Cases)

If a CA certificate has been specified, the SEAL Operator services require a client certificate from each client, that means from all other SEAL Operator services and the Web browser. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, this is how you configure a CA certificate with the SEAL Operator Services:

  1. Save the CA certificate to the following file:

    /opt/seal/etc/tls/ca.pem
    

Next Step

Continue with: Secure Consul


Back to top