Skip to content

Secure Consul

For security reasons, we strongly recommend configuring the TLS encryption.

Caution - firewall

Due to everyone who may access the Consul Web interface via port 8500 can change the configuration including the user authorization, we strongly recommend protecting Consul via firewall. Only the SEAL Operator servers and maybe the workstations of the system administrators should have access to Consul.

Configure the TLS Encryption

The connection to Consul is secured by the TLS certificate located in the /opt/seal/etc/tls directory. That means that after you have replaced the self-signed certificate enclosed in delivery by your own certificate in Secure the SEAL Operator Services the connection to Consul has already been secured.

Specify a CA Certificate (Unnecessary in Most Cases)

If a CA certificate has been specified, Consul requires a client certificate from each client, that means from all SEAL Operator services. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, this is how you configure a CA certificate with Consul:

  1. Open the Consul configuration file:

    /opt/seal/etc/consul.json

  2. Insert the following lines in the first level, for example, above acl_datacenter:

    {
  "ca_file": "/opt/seal/etc/tls/ca.pem",
  "verify_outgoing": true,
  "acl_datacenter": "dc1",
...
}

    Caution - JSON structure

    Pay attention to keep the JSON structure in the Consul configuration file! For further information, refer to http://json.org/json-de.html.

  3. Save the configuration file.

  4. Restart the following service:

    • seal-consul-agent

Next Step

Continue with: Secure MongoDB

Back to top