How to add custom root certificates to the Authorization service.
Prerequisites
Audience: IT Professional Difficulty: Intermediate Time needed: Approximately 10 minutes Tools required: kubectl, Helm
If ThreadFix is set up to authenticate to an external service over TLS, users may need to import the server's certificate into the ThreadFix Authorization’s Java Keystore. Otherwise the following error may be received:
...SunCertPathBuilderException: unable to find valid certification path to requested target
Obtain Certificate
There are multiple ways to obtain the certificate, the following covers using Chrome, OpenSSL, and Root Certificate Authorities:
Using Chrome
Navigate to the site via the Chrome browser.
Right-click within the page and select "Inspect".
Navigate to the Security tab and click the View certificate button.
From the Details tab click the Copy to File button. Note: Mac users may not see a Copy to File button and instead should drag-and-drop the certificate to a desired directory.
Select Base64 and save the .cer file to the desired directory.
For some root or intermediate Certificate Authorities (CAs) the steps may vary. For example, on an Active Directory Certificate Services server, the root CA may be found at http://<host-name>/certsrv/certcarc.asp, and users can download the .cer file with the text "Download CA certificate".
Root CAs allow ThreadFix to talk to all sites with certificates pointing to the root CA. If the user’s company has a root CA that all of its internal servers use, that root CA should be imported to the Java Keystore with the steps below. With this ThreadFix shouldn't have a certificate trust issue for any of the user’s servers.
Import Certificate
In the following instructions replace <certificate> with the name of the desired root certificate file.
Enter the following commands on a command line to perform the described action.
Copy the root certificate to the server with kubectl access.
Add the Denim Group Helm repository if not present: