john_boritz
Cadet
Cadet
  • 233 Views

Securing an Application

Is there a way in Openshift Container Platform version 4.5 to take an existing application running over an insecure route and convert it to run on a secure passthrough route? I can get it to work with an edge route with a self signed CA key. However, when running a curl against the passthrough route I get an SSL connection error.

Thanks.

Labels (1)
0 Kudos
5 Replies
flozano
Moderator
Moderator
  • 198 Views

Re: Securing an Application

If the route is passthrough, by definition, the router only forwards packets to the destination. If you want true end-to-end encryption the application MUST support TLS itself.

Edge routes provide encryption between the client and the router, but not from router to the application, and re-encrypt provide encryption between client and router, and again between router and app, just using different TLS certificates so it is "end-to-end" but with the router seeing all your traffic.

So both passtrough and re-encrypt provide end-to-end ecryption. Passthough is the "most secure" (maybe "most private") if the application supports it because the router cannot inspect your traffic.

If you cannot touch the app and still require end-to-end encryption, the next best thing is using Service Mesh. It adds a side-car container to your pod that can things such as encrypting communication between client and side-car, or between router and side-car. Then the side-car talks, without encryption, to your application, but this happen inside the pod, with no packets sent over the network. So theoretically it is almost as good as passthrough routes.

0 Kudos
Reply
Loading...
john_boritz
Cadet
Cadet
  • 189 Views

Re: Securing an Application

Thanks Fiozano I appreciate this. In my orgainization we have some applications that have a secure and insecure version. However there are a few applications with only an insecure version. How can you tell if the application is an insecure version or a secure version that will allow TLS certificates?

0 Kudos
Reply
Loading...
flozano
Moderator
Moderator
  • 185 Views

Re: Securing an Application

You have to ask whoever developers the app, or its vendors. TLS support is not something you can configure in. It is coded as part of the application. And if the app have this feature as optional, each app has it's own way to enable it.

The best I can think of an "external" way to test it is trying an https connection and if it works, it has TLS enabled. If you don't want to accept an "untrusted" certificate from your web browser, just to check it it is self-signed (insecure) or signed by an internal CA, you can try curl or the openssl ssl_client.

https://serverfault.com/questions/661978/displaying-a-remote-ssl-certificate-details-using-cli-tools

 

0 Kudos
Reply
Loading...
john_boritz
Cadet
Cadet
  • 178 Views

Re: Securing an Application

Thalnks a lot. Appreciate your help.

0 Kudos
Reply
Loading...
  • 172 Views

Re: Securing an Application

 I appreciate this. In my orgainization we have some applications that have a secure and insecure version.

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.