TrustStore for HTTPS

Overview

After DCT Authentication is complete, the HTTPS should be securely configured on DCT and able to be authenticated against. The next step is to register an engine with DCT so that it can fetch results. DCT connects to all engines over HTTPS, thus some configurations might be required to ensure it can communicate successfully.

For virtual appliance deployments

If you are using the virtual appliance (OVA) deployment method, follow the server setup instructions outlined in TrustStore settings.

For Kubernetes and OpenShift deployments

If the CA certificate that signed the engine's HTTPS certificate is not a trusted root CA certificate present in the JDK, then custom CA certificates can be provided to DCT. If these certificates are not provided, a secure HTTPS connection cannot be established and registering the engine will fail. The insecure_ssl engine registration parameter can be used to bypass the check, however, this should not be used unless the risks are understood.

Get the public certificate of the CA that signed the engine’s HTTPS certificate in PEM format. You may need to engage your internal corporate IT team to obtain the correct certificates. Base64 encode the certificate with:

cat mycertfile.pem | base64 -w 0

Copy the Base64 encoded value from the previous step and configure it in the values.yaml file, under the truststoreCertificates section. The section should appear as:

truststoreCertificates:
<certificate_name>.crt: <base64 encode certificate string value in single line>

All certificates configured in the truststoreCertificates section will be read and included in the TrustStore, which would then be used for SSL/TLS communication between DCT and the Delphix Engine.