How do I enable mTLS on the NSP mediation interface?

Purpose

Perform this procedure to enable mutual TLS authentication, or mTLS, on the network mediation interface of an NSP cluster.

Note: You must perform the procedure in each NSP cluster.

Steps
 

Log in as the root or NSP admin user on the NSP deployer host.


Open the following file using a plain-text editor such as vi:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml


Configure the following parameters in the nspmodulesmdm section of the file:

  mtls:

    enabled: true

    mtlsKeyAlgorithm: "RSA"


Save and close the file.


Open a console window.


Enter the following:

cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵


Enter the following to update the mTLS Kubernetes server secret:

./nspdeployerctl secret -s mediation-mtls-key -n "*" -f tls.key=mtlsKey -f tls.crt=mtlsClientCert -f ca.crt=mtlsCACert update

where

mtlsKey is the full path of the client private key file

mtlsClientCert is the full path of the client public certificate file

mtlsCACert is the full path of the CA public certificate file

Messages like the following are displayed as the server secret is updated:

secret/mediation-mtls-key patched

The following files may contain sensitive information. They are no longer required by NSP and may be removed.

  customKey

  customCert

  customCaCert


Enter the following to put the configuration change into effect:

Note: The command causes a restart of each MDM pod in the cluster, but is not service-affecting.

./nspdeployerctl install --config --deploy ↵

mTLS is enabled on the cluster mediation interface.


Close the console window.

End of steps