Versions Compared

Old Version 3

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated steps 9 & 14 per Guven
Image RemovedImage Added

📙 You will learn

How to add custom root certificates to the Authorization service.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: kubectl, Helm

If ThreadFix is set up to authenticate to an external service over TLS, users may need to import the server's certificate into the ThreadFix Authorization’s Java Keystore. Otherwise the following error may be received:

...SunCertPathBuilderException: unable to find valid certification path to requested target

Obtain Certificate

There are multiple ways to obtain the certificate, the following covers using Chrome, OpenSSL, and Root Certificate Authorities:

Using Chrome

  1. Navigate to the site via the Chrome browser.

  2. Right-click within the page and select "Inspect".

  3. Navigate to the Security tab and click the View certificate button.

  4. From the Details tab click the Copy to File button. Note: Mac users may not see a Copy to File button and instead should drag-and-drop the certificate to a desired directory.

  5. Select Base64 and save the .cer file to the desired directory.

More information can be found in the Exporting Certificate Authorities (CAs) from a Website guide.

Using OpenSSL

Use the following command on a headless server:

openssl s_client -connect ${HOST}:${PORT} > certfile

Root Certificate Authorities (CAs)

For some root or intermediate Certificate Authorities (CAs) the steps may vary. For example, on an Active Directory Certificate Services server, the root CA may be found at http://<host-name>/certsrv/certcarc.asp, and users can download the .cer file with the text "Download CA certificate".

Root CAs allow ThreadFix to talk to all sites with certificates pointing to the root CA. If the user’s company has a root CA that all of its internal servers use, that root CA should be imported to the Java Keystore with the steps below. With this ThreadFix shouldn't have a certificate trust issue for any of the user’s servers.

Import Certificate

In the following instructions replace <certificate> with the name of the desired root certificate file.

Enter the following commands on a command line to perform the described action.

  1. Copy the root certificate to the server with kubectl access.

  2. Add the Denim Group Helm repository if not present:

    Code Block
    helm repo add denimgroup https://threadfix-downloads.s3-us-west-2.amazonaws.com/helm/

  3. Get the Helm release name for the ThreadFix instance:

    Code Block
    TF_RELEASE=$(helm ls | grep threadfix | awk '{print $1}')

  4. Get the current installed version of ThreadFix:

    Code Block
    TF_VERSION=$(helm ls --filter "$TF_RELEASE" | grep -o 'threadfix-[Az0-9\.\-]*' | sed 's|threadfix-||g')

  5. Set AppSec pod and deployment env vars for later use:

    Code Block
    TF_APPSEC_POD=$(kubectl get po -l app.kubernetes.io/name=appsec -o jsonpath='{ .items[].metadata.name }')

  6. Set the certfile name:

    Code Block
    CERT_FILE=<certificate>

  7. Validate that the generated parameters are set:

    Code Block
    echo $TF_RELEASE
echo $TF_VERSION
echo $TF_APPSEC_POD
echo $CERT_FILE

  8. Copy the certificate to the appsec pod:

    Code Block
    kubectl cp $CERT_FILE $TF_APPSEC_POD:/usr/local/tomcat/temp/$CERT_FILE

  9. Create a copy of the default cacerts file:

    Code Block
    kubectl exec $TF_APPSEC_POD -- cp /opt/java/openjdk/lib/security/cacerts /usr/local/tomcat/temp/cacerts

  10. Add the certificate to the Java truststore:

    Code Block
    kubectl exec $TF_APPSEC_POD -- keytool --importcert -file /usr/local/tomcat/temp/$CERT_FILE -keystore /usr/local/tomcat/temp/cacerts -storepass changeit -noprompt

  11. Copy the generated cacerts file to the user machine:

    Code Block
    kubectl cp $TF_APPSEC_POD:/usr/local/tomcat/temp/cacerts cacerts

  12. Create a configmap with the copied cacerts file:

    Code Block
    kubectl create configmap tf-auth-cacerts --from-file=cacerts=./cacerts

  13. Create myValues dir if not present:

    Code Block
    mkdir -p myValues

  14. Create a file named 'auth-ca.yaml':

    Code Block
    echo "appsecauth:
  extraVolumes:
    - name: cacerts
      configMap:
        defaultMode: 444
        name: tf-cacerts
  extraVolumeMounts:
    - mountPath: /opt/java/openjdk/lib/security/cacerts
      name: cacerts
      readOnly: true
      subPath: cacerts
appsecimporter:
  extraVolumes:
    - name: cacerts
      configMap:
        defaultMode: 444
        name: tfauth-cacerts
  extraVolumeMounts:
    - mountPath: /opt/java/openjdk/lib/security/cacerts
      name: cacerts
      readOnly: true
      subPath: cacerts" > myValues/root-ca.yaml

  15. Export current Helm values:

    Code Block
    helm get values $TF_RELEASE > currentValues.yaml

  16. Run helm upgrade to apply the new configuration:

    Code Block
    helm upgrade $TF_RELEASE denimgroup/threadfix --version $TF_VERSION -f currentValues.yaml -f myValues/auth-ca.yaml

  17. The appsec pod will automatically restart. The progress can be viewed with:

    Code Block
    kubectl get pods -w

Note: If the appsec and appsecimporter pods do not automatically restart, they can be manually restarted with the following:

Code Block
kubectl rollout restart deploy/${TF_RELEASE}-auth

Table of Contents

Table of Contents