Skip to content

Secure the SEAL Operator Services


For security reasons, SEAL Systems strongly recommends to use TLS encryption. This is also helps to avoid certificate warnings in the browser.


Configure the TLS Encryption

  1. Get a TLS certificate in PEM format, as written in the Requirements.

  2. Replace the following file containing the private key:

    /opt/seal/etc/tls/key.pem
    
  3. Replace the following file containing the public certificate:

    /opt/seal/etc/tls/cert.pem
    
  4. Set the paths for the directories containing the certificate files.

    • TLS_DIR: directory containing the certificate files necessary for the secure transfer within SEAL Operator

    • TLS_EXTERNAL_DIR: directory containing the external certificate files necessary for the services handling external requests

    env:
      service:
        any:
          tag:
            any:
              TLS_DIR: '/opt/seal/etc/tls'
              TLS_EXTERNAL_DIR: '/opt/seal/etc/external_tls'
    

    Hint - no trailing slash

    Make sure the path doesn't end with a slash.

    Hint - tls certificate fallback chain

    TLS_EXTERNAL_DIR -> TLS_DIR -> built-in certificates

  5. If self-signed certificates are used, NODE_TLS_REJECT_UNAUTHORIZED has to be set to 0:

    env:
      service:
        any:
          tag:
            any:
              NODE_TLS_REJECT_UNAUTHORIZED: '0'
    

    Caution - security gap

    Setting NODE_TLS_REJECT_UNAUTHORIZED to 0 in a productive system is a serious security gap! Only use it for test purposes!

    Hint - certificate

    Unless NODE_TLS_REJECT_UNAUTHORIZED is set to 0 or specified at all, the certificate has to contain the correct IP address or hostname since this is used for the authorization check.

  6. Restart SEAL Operator.

    operator service start
    

Specify a CA Certificate (Unnecessary in Most Cases)

If a CA certificate has been specified, the SEAL Operator services require a client certificate from each client. That means from all other SEAL Operator services and the web browser. It requires corresponding properties of the certificate and is a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, the CA certificate for the SEAL Operator services needs to be saved to the following file:

/opt/seal/etc/tls/ca.pem

Next Step

Continue with: Secure Consul


Back to top