This is an automated email from the ASF dual-hosted git repository.

heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-docs.git


The following commit(s) were added to refs/heads/master by this push:
     new b77638ef add docs for cert configuration
     new 0434a2e8 Merge branch 'certs'
b77638ef is described below

commit b77638ef65e3fabf94219370d39e4812571cef82
Author: Alex Heneveld <[email protected]>
AuthorDate: Fri Jul 29 14:25:31 2022 +0100

    add docs for cert configuration
---
 guide/locations/_clouds.md              | 25 +++++++++++++++++++++++--
 guide/ops/configuration/brooklyn_cfg.md | 19 +++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/guide/locations/_clouds.md b/guide/locations/_clouds.md
index 66655cd8..b0e452e2 100644
--- a/guide/locations/_clouds.md
+++ b/guide/locations/_clouds.md
@@ -146,7 +146,7 @@ For more keys and more detail on the keys below, see
   
 - You can set `useMachinePublicAddressAsPrivateAddress` to true to overwrite 
the VMs private IP with its public IP. This is useful as it can be difficult to 
get VMs communicating via the private IPs they are assigned in some clouds.  
Using this config, blueprints which use private IPs can still be deployed to 
these clouds.
   
-  ###### OS Setup
+###### OS Setup
 
 - `user` and `password` can be used to configure the operating user created on 
cloud-provisioned machines
 
@@ -224,12 +224,33 @@ For more keys and more detail on the keys below, see
   recommended when the VM startup is unusual (for example, if guest 
customizations will cause reboots and/or will 
   change login credentials).
 
-- Use `brooklyn.ssh.config.noDeleteAfterExec: true` to keep scripts on the 
server after execution.
+- Use `noDeleteAfterExec: true` to keep scripts on the server after execution.
   The contents of the scripts and the stdout/stderr of their execution are 
available in the Brooklyn web console,
   but sometimes it can also be useful to have them on the box.
   This setting prevents scripts executed on the VMs from being deleted on 
completion.
   Note that some scripts run periodically so this can eventually fill a disk; 
it should only be used for dev/test. 
 
+- Use `scripts.ignoreCerts: false` to issue `curl` and other download commands 
on-box
+  in such a way that they require valid certificates from the servers they 
connect to
+  (e.g. without the `-k` argument to `curl`, or GPG check for package 
installers);
+  this requires that images or setup configures instances so that they are 
able to validate any `https` sites used to download,
+  and that all such sites have valid certificates.
+
+- Use `sshToolClass: classname` to configure Apache Brooklyn to use a 
particular SSH Tool
+  installed into the system. The default is to use the SSHJ java library which 
is a good choice in most instances.
+  Brooklyn also includes 
`org.apache.brooklyn.util.core.internal.ssh.cli.SshCliTool` which can be used 
to delegate 
+  to the OS `ssh` command instead, which can be useful if SSH activity is 
restricted in the environment where Brooklyn is running.
+  Other tools can also be developed and installed.
+
+Other low level parameters are available in specific contexts, as described in 
the JavaDoc for the relevant classes
+and in some cases in `BrooklynConfigKeys`.
+
+Default values for the above properties can usually be set globally in 
`brooklyn.properties` or `brooklyn.cfg` by prefixing
+them with `brooklyn.ssh.config.`.  For example 
`brooklyn.ssh.config.scripts.ignoreCerts = false` there will cause bash
+commands generated to download files to omit the argument specifying to ignore 
certificates (unless overridden to `true`
+at the machine level).
+
+
 ###### Custom Template Options
 
 jclouds supports many additional options for configuring how a virtual machine 
is created and deployed, many of which
diff --git a/guide/ops/configuration/brooklyn_cfg.md 
b/guide/ops/configuration/brooklyn_cfg.md
index 3fd935a3..7b22351e 100644
--- a/guide/ops/configuration/brooklyn_cfg.md
+++ b/guide/ops/configuration/brooklyn_cfg.md
@@ -266,3 +266,22 @@ 
brooklyn.webconsole.security.unauthenticated.endpoints=brooklyn-ui-login
 brooklyn.webconsole.security.login.form=brooklyn-ui-login
 ```
 
+## SSH and Script Defaults
+
+Default values for SSH and script execution behaviour can be set in this file
+using the prefix `brooklyn.ssh.config.`, as described in 
[Locations](/guide/locations#os-setup).
+
+
+## Certificate Validation
+
+Apache Brooklyn can be configured to perform strict validation for HTTPS using 
the following keys:
+
+```
+brooklyn.https.config.trustAll=false
+brooklyn.https.config.laxRedirect=false
+```
+
+This is similar but independent of `brooklyn.ssh.config.scripts.ignoreCerts` 
noted in the previous section.
+If set false, Java must be correctly configured with the appropriate trust 
store in order to connect to HTTPS endpoints.
+
+These can be set globally or on a per-entity / per-location basis.

Reply via email to