Configuring Docker Engine for Remote Access with TLS
To allow connections from IBM® ADDI to Wazi Analyze Docker container that is running in a remote operating system, you need to configure Docker Engine to listen to the TCP socket as well as secure and protect the Docker Engine by using TLS.
To configure Docker Engine for remote access with TLS, follow these steps.
- 1. Create a CA, server and client Keys with OpenSSL.
- 2. Configure Docker Engine to enable TCP socket with TLS.
- 3. Configure IBM AD Wazi Analyze REST API Service to use TLS when connecting to Docker Engine.
1. Create a CA, server and client Keys with OpenSSL
Follow the steps that are described to generate CA, server key and certificates, as well as client key and certificate at Use TLS (HTTPS) to protect the Docker daemon socket.
- ca.pem
- server-cert.pem
- server-key.pem
- cert.pem
- key.pem
2. Configure Docker Engine to enable TCP socket with TLS
Before you configure Docker to enable TCP socket with TLS, make sure to copy the ca.pem, server-cert.pem, server-key.pem that are generated in step 1 into the machine where Docker is running.
To enable TCP socket with TLS, configure Docker to listen on port 2376 for TCP connections and specify the directory path where the server certificates are stored to ensure that it only accepts TLS connections.
- For WindowsNote: For below situations, the exposed port needs to be allowed in the Windows Firewall.
- With Docker daemon installed on Windows, perform the following steps:
- Go to C:\ProgramData\docker\config.
- Edit the daemon.json file. If it does not exist, you need to manually create it.
- Identify the line that contains the
hosts
key and add the"tcp://0.0.0.0:2376"
value. If it does not exist, you need to manually add it. Also, add other relevant keys and their corresponding values that are related to TLS as shown in the following example.{ "experimental":true, "hosts": ["tcp://0.0.0.0:2376", "npipe://"], "tlsverify": true, "tlscacert": "<location of ca certificate>", "tlscert": "<location of server certificate>", "tlskey": "<location of server key>"}
Then, save the file.
- Press Ctrl + Alt + Del and choose Task Manager to open the Task Manager window and select the Services tab.
- Restart the Docker service.
- With Docker daemon installed on Windows, perform the following steps:
- For Linux®Note: When you use Linux, two methods can be used for configuring docker. One is similar to the Windows one by using a daemon.json file and a second method with
systemctl
, but they cannot be mixed. You need to choose either the daemon.json way or systemctl.Below you can find the procedure of configuring docker to listen to TCP 2376 by using the
systemctl
method.systemctl
is the most popular tool to configure the way apps start and run in Linux. You can later mix this method with other options, such as configuring docker to start each time the Operating System starts. If you tried the first method (by using the daemon.json file) and it did not work, you need to delete the folder /etc/docker/ before you try the second method.Procedure:- Use the
sudo systemctl edit docker.service
command to open an override file for docker service in a text editor. - Add or modify the following lines, substituting your own machine static IP:
[Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=<location of ca certificate> --tlscert=<location of server certificate> --tlskey=<location of server key>
Important: Do not remove the first line that containsExecStart=
. It needs to remain with an empty value. - Once the file is saved, you can exit the
systemctl
tool by using . - Reload the systemctl configuration by using the following
command.
sudo systemctl daemon-reload
- Restart the Docker service by using the following
command.
sudo systemctl restart docker.service
- To check whether the changes were successfully applied or that docker is listening on the
configured port, use the following
command.
sudo netstat -lntp | grep dockerd
- Use the
3. Configure IBM AD Wazi Analyze REST API Service to use TLS when connecting to Docker Engine
- Copy the ca.pem, cert.pem, and
key.pem that are generated in step 1 to the machine where IBM AD is installed. For example, copy the files to
C:\DockerClientCertificates.Restriction: The files should be named exactly as ca.pem, key.pem, and cert.pem. Otherwise, connection will fail as the files cannot be found.
- Open the application.properties file under <ADDI Installation Folder>/IBM AD Web Services/wlp/usr/servers/ad_server/conf.wazianalyze.
- Ensure that the DOCKER_ENABLE_TLS property is set to true.
- Update the DOCKER_CERT_PATH property to specify the directory path where the CA and client certificates are stored. Use the same path that is created in step 1 of this section, for example, DOCKER_CERT_PATH=C:\DockerClientCertificates.
- Restart the IBM AD WebSphere® Liberty Profile Windows service from the Windows Services Panel to make those changes take effect. Note: Wait until the IBM AD Wazi Analyze REST API Service is successfully restarted by verifying the
CWWKZ0001I: Application wazianalyze started in xxx seconds.
log message in the ...\wlp\usr\servers\ad_server\logs\messages.log file.