cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
john_boritz
Cadet
Cadet
‎04-15-2021 12:51 AM
  • 1,054 Views

Securing an Application

Is there a way in Openshift Container Platform version 4.5 to take an existing application running over an insecure route and convert it to run on a secure passthrough route? I can get it to work with an edge route with a self signed CA key. However, when running a curl against the passthrough route I get an SSL connection error.

Thanks.

Labels (1)
Labels
0 Kudos
Join the discussion
5 Replies
flozano
Moderator
Moderator
‎04-15-2021 03:36 PM
  • 1,019 Views

If the route is passthrough, by definition, the router only forwards packets to the destination. If you want true end-to-end encryption the application MUST support TLS itself.

Edge routes provide encryption between the client and the router, but not from router to the application, and re-encrypt provide encryption between client and router, and again between router and app, just using different TLS certificates so it is "end-to-end" but with the router seeing all your traffic.

So both passtrough and re-encrypt provide end-to-end ecryption. Passthough is the "most secure" (maybe "most private") if the application supports it because the router cannot inspect your traffic.

If you cannot touch the app and still require end-to-end encryption, the next best thing is using Service Mesh. It adds a side-car container to your pod that can things such as encrypting communication between client and side-car, or between router and side-car. Then the side-car talks, without encryption, to your application, but this happen inside the pod, with no packets sent over the network. So theoretically it is almost as good as passthrough routes.

0 Kudos
john_boritz
Cadet
Cadet
‎04-15-2021 08:05 PM
  • 1,010 Views

Thanks Fiozano I appreciate this. In my orgainization we have some applications that have a secure and insecure version. However there are a few applications with only an insecure version. How can you tell if the application is an insecure version or a secure version that will allow TLS certificates?

0 Kudos
flozano
Moderator
Moderator
‎04-15-2021 11:27 PM
  • 1,006 Views

You have to ask whoever developers the app, or its vendors. TLS support is not something you can configure in. It is coded as part of the application. And if the app have this feature as optional, each app has it's own way to enable it.

The best I can think of an "external" way to test it is trying an https connection and if it works, it has TLS enabled. If you don't want to accept an "untrusted" certificate from your web browser, just to check it it is self-signed (insecure) or signed by an internal CA, you can try curl or the openssl ssl_client.

https://serverfault.com/questions/661978/displaying-a-remote-ssl-certificate-details-using-cli-tools

 

0 Kudos
john_boritz
Cadet
Cadet
‎04-16-2021 02:23 AM
  • 999 Views

Thalnks a lot. Appreciate your help.

0 Kudos
evelinafranco
Cadet
Cadet
‎04-16-2021 01:10 PM
  • 993 Views

 I appreciate this. In my orgainization we have some applications that have a secure and insecure version.

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2023 Red Hat, Inc. Privacy policy Terms of use