How To
Summary
Information Server Microservices tier consists of a number of different components that open ports on the host network in order to expose capabilities for end users, other tiers and internal components. Ports through which important data is transferred are secured by using the TLS protocol. This document describes how to tune your TLS settings in Information Server 11.7.1.1 or later for various services and ports, including configuring the list of enabled TLS protocol versions, as well as the list of supported cipher suites.
Objective
Security hardening of Information Server Microservices tier.
Environment
Information Server 11.7.1.1 or later with a Microservices tier
Steps
Kubernetes ingress controller port: 443
Port 443 is the HTTPS port of Kubernetes ingress controller. The ingress port exposes most of the microservices tier capabilities, including UIs, REST APIs, as well as subsidiary services like Solr, Kibana, and Grafana.
In Information Server 11.7.1.1 or later, this port enables TLS version 1.2 only by default. Starting 11.7.1.3, TLS 1.3 is also enabled by default. The default set of cipher suites is limited to secure ciphers only.
In Information Server 11.7.1.1 or later, this port enables TLS version 1.2 only by default. Starting 11.7.1.3, TLS 1.3 is also enabled by default. The default set of cipher suites is limited to secure ciphers only.
The default configuration is considered secure at the time of writing; therefore, it is not advisable to alter the ingress controller TLS settings. However, it is still possible by editing the ingress-nginx-configuration config map in the kube-system namespace. The respective configuration entries are ssl-protocols and ssl-ciphers, described at https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap.
Note:
Configuration changes are not persisted between product upgrades, and might need to be redone after a product upgrade is applied.
Kafka port: 9092
Note:
Configuration changes are not persisted between product upgrades, and might need to be redone after a product upgrade is applied.
Kafka port: 9092
Kafka service serves as asynchronous communication backbone for the entire Information Server suite. When a Microservices tier is installed, Kafka service is deployed as a Kubernetes microservice and exposed as a TCP service through Kubernetes ingress TCP services on port 9092.
In Information Server 11.7.1.1 and 11.7.1.2, this port enables TLS versions 1.0, 1.1 and 1.2. Supported cipher suites list consists of the default set of cipher suites enabled in Java 1.8.
Starting in Information Server 11.7.1.3, this port enables TLS version 1.2 and 1.3 only. Supported cipher suites consists of the default set of cipher suites enabled in Java 11.
In order to restrict the list of enabled TLS versions for the Kafka port, configure KAFKA_SSL_ENABLED_PROTOCOLS environment variable in the Kafka statefulset. Use the following patch command to configure:
The etcd manifest file is /etc/kubernetes/manifests/etcd.yaml. Changing the list of supported TLS protocol versions is not possible. Changing the set of enabled cipher suites is possible with the --cipher-suites parameter, which accepts a comma-separated list of values.
Starting in Information Server 11.7.1.3, this port enables TLS version 1.2 and 1.3 only. Supported cipher suites consists of the default set of cipher suites enabled in Java 11.
In order to restrict the list of enabled TLS versions for the Kafka port, configure KAFKA_SSL_ENABLED_PROTOCOLS environment variable in the Kafka statefulset. Use the following patch command to configure:
$ kubectl patch sts kafka -p '{"spec":{"template":{"spec":{"containers":[{"name":"kafka","env":[{"name":"KAFKA_SSL_ENABLED_PROTOCOLS","value":"TLSv1.2"}]}]}}}}'
The KAFKA_SSL_ENABLED_PROTOCOLS environment variable expects a comma-separated list as the value.
In order to customize the list of supported cipher suites, configure KAFKA_SSL_CIPHER_SUITES environment variable. For instance, the following patch command restricts the list of cipher suites known to be secure at the time of writing:
In order to customize the list of supported cipher suites, configure KAFKA_SSL_CIPHER_SUITES environment variable. For instance, the following patch command restricts the list of cipher suites known to be secure at the time of writing:
$ kubectl patch sts kafka -p '{"spec":{"template":{"spec":{"containers":[{"name":"kafka","env":[{"name":"KAFKA_SSL_CIPHER_SUITES","value":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"}]}]}}}}'
Changes that use the kubectl patch (noninteractive) or kubectl edit (interactive) commands automatically trigger restart of the Kafka service, and the updated configuration is used. Please note that changes done this way are not fully persistent; they might be changed when future upgrades are installed and might need to be reapplied.
Kubernetes ports: 2379, 2380, 6443, 10250
Kubernetes ports: 2379, 2380, 6443, 10250
The Kubernetes runtime opens a number of ports required for the cluster operations. This includes the following TLS ports:
- etcd (Kubernetes database) ports 2379 and 2380
- kube-apiserver port 6443
- kubelet port 10250
For Information Server 11.7.1.1 and later, the list of enabled TLS protocol versions includes TLS 1.2 only for etcd and TLS 1.2 and 1.3 for the remaining components. The default list of enabled cipher suites is the default set of cipher suites as determined by golang implementation.
The TLS settings for Kubernetes components can be changed by modifying YAML files, which are sensitive to indentation. When editing, make sure to indent with spaces only and use the correct number of spaces to indent each line. Making indentation mistakes might lead to Kubernetes cluster and the entire microservices tier becoming defunct. Always make a copy of the files edited before making any changes.
The etcd and kube-apiserver components are static pods. Hence, TLS settings are changed by adding container process arguments into their respective manifest files, which are different for each component and documented separately below. The location to add these arguments is similar for each component; they must be appended to the command list under the spec section, for example,
...
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://10.50.0.9:2379
- ...
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
...
The etcd manifest file is /etc/kubernetes/manifests/etcd.yaml. Changing the list of supported TLS protocol versions is not possible. Changing the set of enabled cipher suites is possible with the --cipher-suites parameter, which accepts a comma-separated list of values.
The kube-apiserver manifest file is /etc/kubernetes/manifests/kube-apiserver.yaml. Use the --tls-min-version parameter to change the minimum TLS protocol version. Use the --tls-cipher-suites parameter to change the set of enabled TLS cipher suites, specifying a comma-separated list of values.
Changes done in manifest files are automatically picked up by Kubernetes (kubelet) and the respective pods are restarted with their updated configuration.
The kubelet component is a host process. It uses a dedicated configuration file, /var/lib/kubelet/config.yaml. The minimum TLS version can be changed by adding a root-level tlsMinVersion entry, which accepts a single value specifying the minimum TLS version to be enabled. The set of enabled cipher suites can be changed by adding a root-level tlsCipherSuites entry, which accepts a YAML list, for example,
apiVersion: kubelet.config.k8s.io/v1beta1
...
syncFrequency: 0s
volumeStatsAggPeriod: 0s
tlsMinVersion: VersionTLS12
tlsCipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
After the configuration file is changed, run the following command as root to restart kubelet:
# systemctl restart kubelet.service
The list of allowed values for TLS minimum protocol version as well as cipher suites are documented in golang tls package at https://pkg.go.dev/crypto/tls#pkg-constants.
The changes described are volatile to automatic configuration file rewrites done by higher-level management tools, such as kubeadm. In particular, operations such as product upgrades or certificate refresh procedure might overwrite these files.
Image registry port: 5000
The image registry service allows Kubernetes to fetch container images that build up the product functionality.
In Information Server 11.7.1.1 and 11.7.1.2, the list of supported TLS protocol versions includes TLS 1.0, 1.1 and 1.2. In version 11.7.1.3, only TLS 1.2 protocol versions is supported. Starting Information Server version 11.7.1.4, the list of supported TLS protocol versions includes TLS 1.2 and 1.3. The default set of cipher suites depends on the underlying registry implementation, which is different for each product version, but considered secure at the time of writing.
In Information Server 11.7.1.1 and 11.7.1.2, the list of supported TLS protocol versions includes TLS 1.0, 1.1 and 1.2. In version 11.7.1.3, only TLS 1.2 protocol versions is supported. Starting Information Server version 11.7.1.4, the list of supported TLS protocol versions includes TLS 1.2 and 1.3. The default set of cipher suites depends on the underlying registry implementation, which is different for each product version, but considered secure at the time of writing.
Changing image registry TLS settings requires Information Server version 11.7.1.3 or later. It involves making modifications to the image registry configuration file and restarting the image registry container. The procedure varies between Information Server versions.
The image registry configuration file location is /etc/docker/registry/config.yml for Information Server 11.7.1.3 and /etc/registry/config.yml for version 11.7.1.4 and later. The TLS settings must be modified inside the http:tls: section, keeping YAML indentation intact. The available entries include minimumtls for specifying the minimum enabled TLS protocol version and ciphersuites for specifying the list of enabled TLS cipher suites. For example,
version: 0.1
...
http:
addr: :5000
tls:
certificate: /etc/registry/registry.crt
key: /etc/registry/registry.key
minimumtls: tls1.2
ciphersuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
...
The allowed TLS minimum protocol value is either tls1.2 or tls1.3 for Information Server 11.7.1.4 and later, and tls1.0, tls1.1 and tls1.2 for Information Server 11.7.1.3. The set of allowed values for TLS cipher suites is a subset of the values documented in golang tls package at https://pkg.go.dev/crypto/tls#pkg-constants, specific to the image registry implementation version, which is different for each Information Server release.
After the image registry configuration file is updated, the image registry process needs to be manually restarted in order to pick up configuration changes. To restart the image registry process on Information Server 11.7.1.3, run the following command as root:
After the image registry configuration file is updated, the image registry process needs to be manually restarted in order to pick up configuration changes. To restart the image registry process on Information Server 11.7.1.3, run the following command as root:
# docker restart registry
To restart the image registry process on Information Server 11.7.1.4 and later, log in as the microservices tier installation user, change working directory to the microservices tier installation directory (/opt/IBM/UGinstall/ugdockerfiles by default) and run the following commands:
./run_playbook.sh playbooks/install/stop_image_registry.yaml -y
./run_playbook.sh playbooks/install/start_image_registry.yaml -y
Document Location
Worldwide
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m0z0000001i9oAAA","label":"Microservices Tier and Kubernetes Issues"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.7.1"}]
Was this topic helpful?
Document Information
Modified date:
03 November 2022
UID
ibm16348656