# SSL

{% hint style="info" %}
This is an older version of the document. To view the most recent version of the document, click [here](https://docs.opsmx.com/products/orchestration-module-opsmx-enterprise-for-spinnaker-oes/additional-feature-configuration/secure-spinnaker/authentication/ssl).
{% endhint %}

### SSL Overview <a href="#ssl-overview" id="ssl-overview"></a>

* SSL (Secure Socket Layer) is a security protocol which encrypts the connections established between Webserver and the client (browser).
* In this chapter, we learn how Spinnaker communicates from external parties to Spinnaker Instance, which might be any requests between
  1. Browser & Spinnaker UI (Deck)
  2. Deck and Gateway (API gateway)
  3. Client and Gate

### Steps to Generate Self Signed Cert <a href="#steps-to-generate-self-signed-cert" id="steps-to-generate-self-signed-cert"></a>

* A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. In technical terms a self-signed certificate is one signed with its own private key.
* Instructions in this chapter allows user to generate a Self-signed certificate key and server certificate, openssl will be used.
* Follow the below instruction to create self-signed certificate

  1. Execute the below commands to create CA key

     ```
     openssl genrsa -des3 -out ca.key 4096
     ```
  2. Execute the below commands to Self-sign the Certificate

     ```
     openssl req -new -x509 -days 365 -key ca.key -out ca.crt
     ```

  **Note**: Incase if External CA Certificate is being used, skip to the next section to enable the same on Spinnaker.

### Steps to Create Server Certificate <a href="#steps-to-create-server-certificate" id="steps-to-create-server-certificate"></a>

* From this Section, let’s learn how to create Certificate Authority and import the same to a Server Certificate.

  1. Execute the below command, to create a Server key and save it safe.

     ```
     openssl genrsa -des3 -out server.key 4096
     ```
  2. Execute the below command, to generate a certificate signing request for the server. Ensure to specify localhost or Fully Qualified Domain Name of Gate as the Common Name.

     ```
         openssl req -new -key server.key -out server.csr
     ```
  3. Execute the below command, to use CA sign the server’s request. If, external CA is being used, vendor will take care of this step.

     ```
         openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -
         CAcreateserial -out server.crt
     ```
  4. To make the server certificate to importable format convert it to JKS.

  Note

  This creates a p12 keystore file with your certificate imported under the alias “spinnaker” with the key password $YOUR\_KEY\_PASSWORD.

  1. Execute the below command, to create a JKS file by importing CA Certificate

     ```
     keytool -keystore keystore.jks -import -trustcacerts -alias ca -file ca.crt
     ```
  2. To import the server certificate, execute the below

  ```
  $ keytool -importkeystore \
  -srckeystore server.p12 \
  -srcstoretype pkcs12 \
  -srcalias spinnaker \
  -srcstorepass $YOUR_KEY_PASSWORD \
  -destkeystore keystore.jks \
  -deststoretype jks \
  -destalias spinnaker \
  -deststorepass $YOUR_KEY_PASSWORD \
  -destkeypass $YOUR_KEY_PASSWORD
  ```
* Now Spinnaker is all set to use the Java Keystore, which has all the certificate authority and server certificate.

### Steps to Configure SSL for Gate and Deck <a href="#steps-to-configure-ssl-for-gate-and-deck" id="steps-to-configure-ssl-for-gate-and-deck"></a>

* Execute the below commands, separate to enable SSL for Gate and Deck. We can use ‘Halyard’ to do the same.
* For Gate:

  ```
  KEYSTORE_PATH= # /path/to/keystore.jks
  hal config security api ssl edit \
  --key-alias spinnaker \
  --keystore $KEYSTORE_PATH \
  --keystore-password \
  --keystore-type jks \
  --truststore $KEYSTORE_PATH \
  --truststore-password \
  --truststore-type jks
  hal config security api ssl enable
  ```
* For Deck:

  ```
  SERVER_CERT= # /path/to/server.crt
  SERVER_KEY= # /path/to/server.key

  hal config security ui ssl edit \
  --ssl-certificate-file $SERVER_CERT \
  --ssl-certificate-key-file $SERVER_KEY \
  --ssl-certificate-passphrase

  hal config security ui ssl enable
  ```

### Steps to Deploy Spinnaker with SSL <a href="#steps-to-deploy-spinnaker-with-ssl" id="steps-to-deploy-spinnaker-with-ssl"></a>

* Execute the below command to deploy Spinnaker with all the SSL settings

  ```
  hal deploy apply
  ```

### Verify SSL Setup <a href="#verify-ssl-setup" id="verify-ssl-setup"></a>

* To Verify SSL setup, ensure to access all the Spinnaker Endpoints like Gate or Deck over SSL.

### Next Steps <a href="#next-steps" id="next-steps"></a>

* To Proceed further one much choose an authentication method
* OAuth 2.0
* SAML
* LDAP
* X.509


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.opsmx.com/opsmx-context-graph-and-data-fabric/additional-resources/previous-releases/isd-3.10/orchestration-module-opsmx-enterprise-for-spinnaker-oes/additional-feature-configuration/secure-spinnaker/authentication/ssl.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.