# SSL

{% hint style="info" %}
This is an older version of the document. To view the most recent version of the document, click [here](https://docs.opsmx.com/products/orchestration-module-opsmx-enterprise-for-spinnaker-oes/additional-feature-configuration/secure-spinnaker/authentication/ssl).
{% endhint %}

### SSL Overview <a href="#ssl-overview" id="ssl-overview"></a>

* SSL (Secure Socket Layer) is a security protocol which encrypts the connections established between Webserver and the client (browser).
* In this chapter, we learn how Spinnaker communicates from external parties to Spinnaker Instance, which might be any requests between
  1. Browser & Spinnaker UI (Deck)
  2. Deck and Gateway (API gateway)
  3. Client and Gate

### Steps to Generate Self Signed Cert <a href="#steps-to-generate-self-signed-cert" id="steps-to-generate-self-signed-cert"></a>

* A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. In technical terms a self-signed certificate is one signed with its own private key.
* Instructions in this chapter allows user to generate a Self-signed certificate key and server certificate, openssl will be used.
* Follow the below instruction to create self-signed certificate

  1. Execute the below commands to create CA key

     ```
     openssl genrsa -des3 -out ca.key 4096
     ```
  2. Execute the below commands to Self-sign the Certificate

     ```
     openssl req -new -x509 -days 365 -key ca.key -out ca.crt
     ```

  **Note**: Incase if External CA Certificate is being used, skip to the next section to enable the same on Spinnaker.

### Steps to Create Server Certificate <a href="#steps-to-create-server-certificate" id="steps-to-create-server-certificate"></a>

* From this Section, let’s learn how to create Certificate Authority and import the same to a Server Certificate.

  1. Execute the below command, to create a Server key and save it safe.

     ```
     openssl genrsa -des3 -out server.key 4096
     ```
  2. Execute the below command, to generate a certificate signing request for the server. Ensure to specify localhost or Fully Qualified Domain Name of Gate as the Common Name.

     ```
         openssl req -new -key server.key -out server.csr
     ```
  3. Execute the below command, to use CA sign the server’s request. If, external CA is being used, vendor will take care of this step.

     ```
         openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -
         CAcreateserial -out server.crt
     ```
  4. To make the server certificate to importable format convert it to JKS.

  Note

  This creates a p12 keystore file with your certificate imported under the alias “spinnaker” with the key password $YOUR\_KEY\_PASSWORD.

  1. Execute the below command, to create a JKS file by importing CA Certificate

     ```
     keytool -keystore keystore.jks -import -trustcacerts -alias ca -file ca.crt
     ```
  2. To import the server certificate, execute the below

  ```
  $ keytool -importkeystore \
  -srckeystore server.p12 \
  -srcstoretype pkcs12 \
  -srcalias spinnaker \
  -srcstorepass $YOUR_KEY_PASSWORD \
  -destkeystore keystore.jks \
  -deststoretype jks \
  -destalias spinnaker \
  -deststorepass $YOUR_KEY_PASSWORD \
  -destkeypass $YOUR_KEY_PASSWORD
  ```
* Now Spinnaker is all set to use the Java Keystore, which has all the certificate authority and server certificate.

### Steps to Configure SSL for Gate and Deck <a href="#steps-to-configure-ssl-for-gate-and-deck" id="steps-to-configure-ssl-for-gate-and-deck"></a>

* Execute the below commands, separate to enable SSL for Gate and Deck. We can use ‘Halyard’ to do the same.
* For Gate:

  ```
  KEYSTORE_PATH= # /path/to/keystore.jks
  hal config security api ssl edit \
  --key-alias spinnaker \
  --keystore $KEYSTORE_PATH \
  --keystore-password \
  --keystore-type jks \
  --truststore $KEYSTORE_PATH \
  --truststore-password \
  --truststore-type jks
  hal config security api ssl enable
  ```
* For Deck:

  ```
  SERVER_CERT= # /path/to/server.crt
  SERVER_KEY= # /path/to/server.key

  hal config security ui ssl edit \
  --ssl-certificate-file $SERVER_CERT \
  --ssl-certificate-key-file $SERVER_KEY \
  --ssl-certificate-passphrase

  hal config security ui ssl enable
  ```

### Steps to Deploy Spinnaker with SSL <a href="#steps-to-deploy-spinnaker-with-ssl" id="steps-to-deploy-spinnaker-with-ssl"></a>

* Execute the below command to deploy Spinnaker with all the SSL settings

  ```
  hal deploy apply
  ```

### Verify SSL Setup <a href="#verify-ssl-setup" id="verify-ssl-setup"></a>

* To Verify SSL setup, ensure to access all the Spinnaker Endpoints like Gate or Deck over SSL.

### Next Steps <a href="#next-steps" id="next-steps"></a>

* To Proceed further one much choose an authentication method
* OAuth 2.0
* SAML
* LDAP
* X.509