Configuring Docker Engine for Remote Access with TLS

1. Create a CA, server and client Keys with OpenSSL

Follow the steps that are described to generate CA, server key and certificates, as well as client key and certificate at Use TLS (HTTPS) to protect the Docker daemon socket.

2. Configure Docker Engine to enable TCP socket with TLS

Before you configure Docker to enable TCP socket with TLS, make sure to copy the ca.pem, server-cert.pem, server-key.pem that are generated in step 1 into the machine where Docker is running.

To enable TCP socket with TLS, configure Docker to listen on port 2376 for TCP connections and specify the directory path where the server certificates are stored to ensure that it only accepts TLS connections.

• For Windows
  Note: For below situations, the exposed port needs to be allowed in the Windows Firewall.
  • With Docker daemon installed on Windows, perform the following steps:
    1. Go to C:\ProgramData\docker\config.
    2. Edit the daemon.json file. If it does not exist, you need to manually create it.
    3. Identify the line that contains the hosts key and add the "tcp://0.0.0.0:2376" value. If it does not exist, you need to manually add it. Also, add other relevant keys and their corresponding values that are related to TLS as shown in the following example.

       { "experimental":true, "hosts": ["tcp://0.0.0.0:2376", "npipe://"], "tlsverify": true, "tlscacert": "<location of ca certificate>", "tlscert": "<location of server certificate>", "tlskey": "<location of server key>"}

       Then, save the file.

    4. Press Ctrl + Alt + Del and choose Task Manager to open the Task Manager window and select the Services tab.
    5. Restart the Docker service.
• For Linux®
  Note: When you use Linux, two methods can be used for configuring docker. One is similar to the Windows one by using a daemon.json file and a second method with systemctl, but they cannot be mixed. You need to choose either the daemon.json way or systemctl.

  Below you can find the procedure of configuring docker to listen to TCP 2376 by using the systemctl method. systemctl is the most popular tool to configure the way apps start and run in Linux. You can later mix this method with other options, such as configuring docker to start each time the Operating System starts. If you tried the first method (by using the daemon.json file) and it did not work, you need to delete the folder /etc/docker/ before you try the second method.

  Procedure:

  1. Use the sudo systemctl edit docker.service command to open an override file for docker service in a text editor.
  2. Add or modify the following lines, substituting your own machine static IP:

     [Service]
     ExecStart=
     ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=<location of ca certificate> --tlscert=<location of server certificate> --tlskey=<location of server key>

     Important: Do not remove the first line that contains ExecStart=. It needs to remain with an empty value.
  3. Once the file is saved, you can exit the systemctl tool by using Ctrl+X > Y/y > Enter.
  4. Reload the systemctl configuration by using the following command.

     sudo systemctl daemon-reload

  5. Restart the Docker service by using the following command.

     sudo systemctl restart docker.service

  6. To check whether the changes were successfully applied or that docker is listening on the configured port, use the following command.

     sudo netstat -lntp | grep dockerd

3. Configure IBM AD Wazi Analyze REST API Service to use TLS when connecting to Docker Engine