Skip to content

Secure Consul

For security reasons, we strongly recommend configuring the TLS encryption.

Caution - firewall

Due to everyone who may access the Consul Web interface via port 8500 can change the configuration including the user authorization, we strongly recommend protecting Consul via firewall. Only the PLOSSYS 5 servers and maybe the workstations of the system administrators should have access to Consul.

Configure the TLS Encryption

The connection to Consul is secured by the TLS certificate located in the /opt/seal/etc/tls directory. That means that after you have replaced the self-signed certificate enclosed in delivery by your own certificate in Secure the PLOSSYS 5 Services the connection to Consul has already been secured.

Configure the TLS Encryption in a Cluster

If you are running PLOSSYS 5 in a cluster, execute the configuration steps above on all PLOSSYS 5 servers.

Config a Consul Key in a Cluster

For how to configure Consul in a cluster, refer to Configure Consul in a Cluster.

The communication between the Consul instances in a cluster is encrypted symmetrically. A pre-shared key is installed.

Caution - security gap

Using the pre-installed key in a productive system is a serious security gap.

Show the Installed Keys

This is how you display all keys known to the Consul cluster:

  1. Change to the directory of the Consul program:

    /opt/seal/seal-consul-agent

  2. List the installed keys:

    ./consul keyring -list

    Hint - active key

    The active key is highlighted. GfTiHCQsAMdYyUKN+BYhMw== is the default key set during the installation.

Replace the Key

This is how you replace the key:

  1. Change to the directory of the Consul program:

    /opt/seal/seal-consul-agent

  2. Create a new symmetric key:

    ./consul keygen

    The new key <new_key> is displayed.

  3. Distribute the new key in the Consul cluster:

    ./consul keyring -install <new_key>

  4. Activate the new key:

    ./consul keyring -use <new_key>

  5. Delete the old key:

    ./consul keyring -remove <old_key>

Specify a CA Certificate (Unnecessary in Most Cases)

If a CA certificate has been specified, Consul requires a client certificate from each client, that means from all PLOSSYS 5 services. This would require corresponding properties of the certificate and would be a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, this is how you configure a CA certificate with Consul:

  1. Open the Consul configuration file on the PLOSSYS 5 server:

    /opt/seal/etc/consul.json

  2. Insert the following lines in the first level, for example after the first opening bracket:

    {
  "ca_file": "/opt/seal/etc/tls/ca.pem",
  "verify_outgoing": true,
...
}

    Caution - JSON structure

    Pay attention to keep the JSON structure in the configuration file! For further information, refer to http://json.org/json-de.html.

  3. Save the configuration file.

  4. Restart the following service:

    • seal-consul-agent

Configure ACL

Consul comes without ACL (Access Control List) configuration. This is how you configure ACL:

  1. Stop PLOSSYS 5 completely using the --full parameter (on every server in case of a cluster).

  2. Open the Consul configuration file on the PLOSSYS 5 server (on every server in case of a cluster):

    /opt/seal/etc/consul.json

  3. Insert the following lines in the first level, for example, after the first opening bracket (on every server in case of a cluster):

    {
  "acl": {
    "enabled": true,
    "default_policy": "deny",
    "enable_token_persistence": true
  },
...
}

  4. Start the following service (on every server in case of a cluster):

    • seal-consul-agent

  5. Change to the directory of the Consul program (on every server in case of a cluster):

    cd /opt/seal/seal-consul-agent

  6. Set the following environment variables (on every server in case of a cluster):

    export CONSUL_HTTP_SSL=true
export CONSUL_HTTP_SSL_VERIFY=false

  7. Execute ACL bootstrap (only on one server in case of a cluster):

    ./consul acl bootstrap

    This results in an output like this:

    AccessorID:       770956ae-f0bf-db1d-0dc0-c802b9fdea3a
SecretID:         145d39a6-1366-7e3b-496e-fd2f2ea6ae23
Description:      Bootstrap Token (Global Management)
Local:            false
Create Time:      2022-01-18 14:33:38.1674571 +0100 CET
Policies:         00000000-0000-0000-0000-000000000001 - global-management

  8. Open the Consul user interface, change to the ACL tab and enter the SecretID from the bootstrap result (in the example above, 145d39a6-1366-7e3b-496e-fd2f2ea6ae23) (only on one server in case of a cluster):

    SecretID in Consul ACL

    Hint - access to Web interface

    Every administrator who wants to change the PLOSSYS 5 configuration has do this in his browser. Otherwise, he will no nonger be able to access the keys and values.

  9. Change to the Key/Value tab and specify the SecretID from the bootstrap result (in the example above, 145d39a6-1366-7e3b-496e-fd2f2ea6ae23) at the dc/home/env/service/any/tag/any/CONSUL_TOKEN key (only on one server in case of a cluster):

    SecretID in CONSUL_TOKEN

  10. Open the envconsul configuration file on the PLOSSYS 5 server (on every server in case of a cluster):

    /opt/seal/etc/envconsul.json

  11. Change the value of consul.token to the SecretID from the bootstrap result (in the example above, 145d39a6-1366-7e3b-496e-fd2f2ea6ae23) (on every server in case of a cluster):

    {
  "consul": {
    "address": "127.0.0.1:8500",
    "ssl": {
      "enabled": true,
      "verify": false
    },
    "token": "145d39a6-1366-7e3b-496e-fd2f2ea6ae23",
    "retry": {
      "attempts": 0
    }
  },
  "sanitize": true,
  "upcase": true,
  "vault": {
    "renew_token": false
  }
}

  12. To enable the services to make DNS requests create the dns-request-policy.hcl file in any directory with the following content (only on one server in case of a cluster):

    node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "read"
}
query_prefix "" {
  policy = "read"
}

  13. Execute the following command to create the policy for DNS requests, using the SecretID from the bootstrap result as token (in the example above, 145d39a6-1366-7e3b-496e-fd2f2ea6ae23) (only on one server in case of a cluster):

    ./consul acl policy create -name "dns-requests" -rules @<arbitrary directory>/dns-request-policy.hcl -token 145d39a6-1366-7e3b-496e-fd2f2ea6ae23

    This results in an output like this:

    ID:           4e9cbd04-f18c-237b-6357-e5f6f405b74b
Name:         dns-requests
Description:
Datacenters:
Rules:
node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "read"
}
query_prefix "" {
  policy = "read"
}

  14. Execute the following command to create the token for DNS requests, using the SecretID from the bootstrap result as token (in the example above, 145d39a6-1366-7e3b-496e-fd2f2ea6ae23) (only on one server in case of a cluster):

    ./consul acl token create -description "Token for DNS Requests" -policy-name dns-requests -token 145d39a6-1366-7e3b-496e-fd2f2ea6ae23

    This results in an output like this:

    AccessorID:       31dee823-61b7-a8ca-fec1-9103ea601a15
SecretID:         9e3f8b90-1c48-1899-8fed-55c94dab6016
Description:      Token for DNS Requests
Local:            false
Create Time:      2022-01-31 14:08:31.5254338 +0100 CET
Policies:
   4e9cbd04-f18c-237b-6357-e5f6f405b74b - dns-requests

  15. Execute the following command to apply the created token. Provide the SecretID from the bootstrap result with the -token parameter (in the example above, 145d39a6-1366-7e3b-496e-fd2f2ea6ae23) and the SecretID from the newly created token as the string at the end (in the example above, 9e3f8b90-1c48-1899-8fed-55c94dab6016) (on every server in case of a cluster):

    ./consul acl set-agent-token -token 145d39a6-1366-7e3b-496e-fd2f2ea6ae23 default "9e3f8b90-1c48-1899-8fed-55c94dab6016"

    This results in an output like this:

    ACL token "default" set successfully

  16. Start PLOSSYS 5.

Back to top