What's on this page

Navigation :

Security

Configuring Security in Lifecycle Manager

The recommended installation of Lifecycle Manager is with security enabled. This will give the following benefits:

Disabling Security

The easiest way to disable security during installation is by including the No Security flavour

No Security Flavour

Directory: no-security This flavour disables TNC-O security and is intended for development/testing purposes. To be more precise, this flavour disables:

This flavour may be used in combination with other flavours included in the TNC-O package.

Installation

To install TNC-O with this flavour, ensure the following values file from the lm-helm-charts package is provided during the Helm install process which is described later in this guide: `./flavours/no-security/no-security-values.yaml

Changing default passwords

It is recommended all system passwords are modified from their default values during installation for added security. This can be achieved as follows:

OpenLDAP Administrator Password

In order to modify the default password for administering OpenLDAP, modify this Helm value in your custom values file.

global:
  ldap:
    managerPassword: lmadmin # modify this with your custom password

TNC-O API Administration User

In order to administer Client Credentials in TNC-O, the system is setup with some default Client Credential. These can be modified or added to by declaring values in the custom Helm values file as follows (change only the clientId and clientSecret, leaving grantTypes and roles as shown below):

configurator: 
  security:
    lm:
      clientCredentials:
        - clientId: LmClient
          clientSecret: pass123
          grantTypes: client_credentials
          roles: SLMAdmin

Internal Clients

TNC-O installs with some clients configured to allow secure communication internally. These clients are mandatory, but their default passwords can be changed. Additionally their respective token validitity periods can also be configured (all values in seconds). Their meanings are as follows:

In order to modify the default passwords or timeouts, add these Helm values into your custom values file.

configurator: 
  security:
    lm:
      nimrod:
        clientSecret: pass123 # modify this with your custom password
        accessTokenValidity: 1200 # 20 minutes
        refreshTokenValidity: 30600 # 8.5 hours
      doki:
        clientSecret: pass123 # modify this with your custom password
        accessTokenValidity: 1200 # 20 minutes

Keystore Password

Some of the services within TNC-O host SSL certificates used for secure internal communications. To configure the password used for this certificate keystore, modify this value:

configurator: 
  security:
    lm:
      keyStorePassword: keypass  # modify this with your custom password

Vault Access Token

In order to lookup application configuration, the services of TNC-O will need to connect to Vault. They require use of an access token to facilitate this. To modify this from the default value, generate a new UUID and replace it in the following Helm value into your custom values file.

vaultInit:
  vaultToken:  # insert your new generated UUID

This access token will be automatically setup in Vault during installation, and the services of TNC-O will use this for authentication with Vault. This token can be used to login to the Vault UI after installation in order to modify application configuration.

By default, Vault tokens will be created with a duration as specified in the values file for helm-foundation, i.e.

vault:  
  vault:
    config:      
      max_lease_ttl: 87600h  # this is the maximum duration a token can exist, before which it can be renewed, after which it will be revoked
      default_lease_ttl: 87600h  # this is the default duration a token will exist, after which it will be revoked, unless renewed

See also Managing Vault Tokens

Next Steps

Continue the configuration of Storage