NSP TLS overview

Introduction

NSP communication is secured using Transport Layer Security, or TLS. The TLS-secured elements of an NSP deployment include the following:

• Kubernetes infrastructure—Kubernetes registry, interfaces between NSP deployer host and NSP cluster VMs

• internal NSP subsystem and service endpoints

• external NSP cluster endpoints for communication with:

  • NSP components deployed outside the NSP cluster

  • UI and API clients

  • managed network

  • other management systems and target servers

Note: An NSP system upgrade preserves the TLS artifacts.

NSP TLS certificates

The NSP TLS certificates include the following:

Note: You specify the issuer and server TLS artifacts during NSP cluster deployment. The Kubernetes certificates are automatically generated, and require no configuration.

• Kubernetes infrastructure certificates, applied to:

  • Kubernetes registry

  • NSP deployer host

  • NSP cluster control plane

• NSP issuer certificates, applied to:

  • internal NSP service and subsystem endpoints

  • external-facing NSP application endpoints

• NSP server certificates, applied to:

  • NSP cluster gateway for client access

  • mediation interfaces

NSP issuer certificates

NSP issuer certificates are CA signing certificates that provide session-level security for the internal and external-facing NSP application endpoints.

NSP server certificates

NSP server certificates secure the ingress gateway for external client and mediation access. Using a custom server certificate has special requirements, as described in Using custom TLS certificates.

Kubernetes secrets

The TLS artifacts of an NSP cluster are stored in Kubernetes secrets to prevent the exposure of sensitive security information. The ‘nspdeployerctl secret’ command on an NSP deployer host facilitates secret creation, update, and replacement, and includes other functions such as secret backup and restore. You can also use the command to display the secret content.

The NSP system deployment procedures include steps for creating the required secrets, and “What is NSP TLS administration?” in the NSP System Administrator Guide describes post-deployment TLS certificate and Kubernetes secret management.

See NSP TLS configuration requirements and NSP TLS configuration procedures for information about creating the required TLS artifacts for an NSP deployment.

NSP PKI-server service

An NSP cluster hosts a PKI-server service that uses the CA certificates from the internal and external issuer secrets to sign certificates. The service uses an access control list based on the NSP cluster configuration; consequently, the service responds only to certificate requests from known addresses in the nsp-config.yml file of the local cluster.