Skip to content

Secure PLOSSYS Administrator


For security reasons, we strongly recommend configuring the TLS encryption. This is also one step to get rid off the annoying certificate warnings in the browser. We also recommend using a regenerated client secret different to the one contained in delivery.


Configure the TLS Encryption

  1. Get the TLS certificate in PEM format, see the Requirement. For securing the connection to PLOSSYS Administrator, the certificate has to contain the server name of PLOSSYS 5.

  2. Create a new directory for the external TLS certificates:

    mkdir C:\ProgramData\SEAL Systems\config\tls-external
    
  3. Save the private key and the public certificate in the newly created C:\ProgramData\SEAL Systems\config\tls.external directory.

    copy <your_key.pem> C:\ProgramData\SEAL Systems\config\tls-external\key.pem
    
    copy <your_cert.pem> C:\ProgramData\SEAL Systems\config\tls-external\cert.pem
    
  4. Set the following key to the path of the certificate files:

    • TLS_EXTERNAL_DIR: Directory for storing the files necessary for secure transfer with the PLOSSYS Administrator.

    Example - setting key via PLOSSYS CLI for all external services (recommended)

    plossys config set TLS_EXTERNAL_DIR "C:\ProgramData\SEAL Systems\config\tls-external" --service any --insecure
    

    Example - setting key via PLOSSYS CLI for PLOSSYS Administrator only

    plossys config set TLS_EXTERNAL_DIR "C:\ProgramData\SEAL Systems\config\tls-external" --service plossysadmin --insecure
    
  5. If the self-signed certificates are used with PLOSSYS Administrator, the following key has to be set to 0 for the seal-plossysadmin service:

    Example - setting key via PLOSSYS CLI

    plossys config set NODE_TLS_REJECT_UNAUTHORIZED 0 --service plossysadmin --insecure
    
  6. Restart the following service:

    • seal-plossysadmin
  7. Close PLOSSYS Administrator and open it again.


Configure the TLS Encryption in a Cluster

In a cluster, execute the steps above on one server. On every other server, execute the following steps:

  1. Create a new directory for the external TLS certificates:

    mkdir C:\ProgramData\SEAL Systems\config\tls-external
    
  2. Save the private key and the public certificate in the newly created C:\ProgramData\SEAL Systems\config\tls.external directory.

    copy <your_key.pem> C:\ProgramData\SEAL Systems\config\tls-external\key.pem
    
    copy <your_cert.pem> C:\ProgramData\SEAL Systems\config\tls-external\cert.pem
    
  3. Restart the following service:

    • seal-plossysadmin
  4. If needed, close PLOSSYS Administrator and open it again.


Regenerate the Client Secret in the OIDC Identity Provider

If the SEAL specific Keycloak is being used in a productive setting, execute the following steps:

  1. In the OIDC identity provider, regenerate the secret for the seal-plossysadmin client, refer to the SEAL Interfaces for OIDC documentation.

  2. In the configuration of the seal-plossysadmin service, specify the regenerated client secret with the following key:

    • AUTH_CLIENT_SECRET: Client secret generated in the OIDC identity provider for the seal-plossysadmin client

Next Step

Continue with: Secure the PLOSSYS 5 Services


Back to top