JBevillC commented on a change in pull request #3040: CIAB: Make the socks
container optional
URL: https://github.com/apache/trafficcontrol/pull/3040#discussion_r239605252
##########
File path: docs/source/admin/quick_howto/ciab.rst
##########
@@ -99,19 +99,162 @@ variables.env
.. [2] Consider ``make -j`` to build quickly, if your computer can handle
multiple builds at once.
.. [3] Please do NOT use the Perl endpoints directly. The CDN will only work
properly if everything hits the Go API, which will proxy to the Perl endpoints
as needed.
+X.509 SSL/TLS Certificates
+=========================
+All components in Apache Traffic Control utilize SSL/TLS secure communications
by default. For SSL/TLS connections to properly validate within the "CDN in a
Box" container network a shared self-signed X.509 Certificate Authority (CA) is
generated at the first initial startup. Additional self-signed wildcard
certificates are generated for each container service and all delivery services
of the CDN. All certificates and keys are stored in the ``ca`` host volume
which is located at ``infrastruture/cdn-in-a-box/traffic_ops/ca`` [4]_.
+
+.. _ciab-x509-certificate-list:
+.. table:: Self-Signed X.509 Certificate List
+
+
+---------------------------+-----------------------------------+------------------------------+
+ | Filename | Description | X.509
CN/SAN |
+
+===========================+===================================+==============================+
+ | CIAB-CA.crt | Shared CA Certificate | N/A
|
+
+---------------------------+-----------------------------------+------------------------------+
+ | infra.ciab.test.crt | Infrastruture Certificate |
\*.infra.ciab.test |
+
+---------------------------+-----------------------------------+------------------------------+
+ | demo1.mycdn.ciab.test.crt | Demo1 Delivery Service Certificate|
\*.demo1.mycdn.ciab.test |
+
+---------------------------+-----------------------------------+------------------------------+
+ | demo2.mycdn.ciab.test.crt | Demo2 Delivery Service Certificate|
\*.demo2.mycdn.ciab.test |
+
+---------------------------+-----------------------------------+------------------------------+
+ | demo3.mycdn.ciab.test.crt | Demo3 Delivery Service Certificate|
\*.demo3.mycdn.ciab.test |
+
+---------------------------+-----------------------------------+------------------------------+
+
+.. [4] The ``ca`` volume is not purged with normal ``docker volume`` commands.
This feature is by design to allow the existing shared SSL certificate to be
trusted at the system level across restarts. To re-generate all SSL
certificates and keys, remove the
``infrastructure/cdn-in-a-box/traffic_ops/ca`` directory before startup.
+
+Trusting the CA
+---------------
+For developer and testing use-cases, it may be necessary to have full x509 CA
validation by HTTPS clients [5]_. For x509 validation to work properly, the
self-signed x509 CA certificate must be trusted either at the system leevel or
by the client applicatoin itself. Procedures to import and trust the CA x.509
certifcate are outlined below for OSX, Windows, and two Linuxs below [6]_.
Review comment:
I've removed the "for OSX, Windows, and two Linuxs below" part of the
paragraph.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
