Merge pull request #105 from opensearch-project/security-updates

Added required openid lines to TLS configuration yaml files
This commit is contained in:
Keith Chan 2021-07-16 16:10:37 -07:00 committed by GitHub
commit 25421e60e0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 23 deletions

View File

@ -77,9 +77,9 @@ jwks_uri: "https://keycloak.example.com:8080/auth/realms/master/protocol/openid-
``` ```
``` ```
{ {
keys:[ keys:[
{ {
kid:"V-diposfUJIk5jDBFi_QRouiVinG5PowskcSWy5EuCo", kid:"V-diposfUJIk5jDBFi_QRouiVinG5PowskcSWy5EuCo",
kty:"RSA", kty:"RSA",
alg:"RS256", alg:"RS256",
@ -148,8 +148,9 @@ Use the following parameters to enable TLS for connecting to your IdP:
```yml ```yml
config: config:
enable_ssl: <true|false> openid_connect_idp:
verify_hostnames: <true|false> enable_ssl: <true|false>
verify_hostnames: <true|false>
``` ```
Name | Description Name | Description
@ -164,16 +165,20 @@ To validate the TLS certificate of your IdP, configure either the path to the Id
```yml ```yml
config: config:
pemtrustedcas_filepath: /path/to/trusted_cas.pem openid_connect_idp:
enable_ssl: true
pemtrustedcas_filepath: /full/path/to/trusted_cas.pem
``` ```
```yml ```yml
config: config:
pemtrustedcas_content: |- openid_connect_idp:
MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjzETMBEGCgmSJomT8ixk enable_ssl: true
ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w pemtrustedcas_content: |-
bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh MIID/jCCAuagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjzETMBEGCgmSJomT8ixk
... ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w
bGUgQ29tIEluYy4xITAfBgNVBAsMGEV4YW1wbGUgQ29tIEluYy4gUm9vdCBDQTEh
...
``` ```
@ -189,23 +194,27 @@ To use TLS client authentication, configure the PEM certificate and private key
```yml ```yml
config: config:
pemkey_filepath: /path/to/private.key.pem openid_connect_idp:
pemkey_password: private_key_password enable_ssl: true
pemcert_filepath: /path/to/certificate.pem pemkey_filepath: /full/path/to/private.key.pem
pemkey_password: private_key_password
pemcert_filepath: /full/path/to/certificate.pem
``` ```
```yml ```yml
config: config:
pemkey_content: |- openid_connect_idp:
MIID2jCCAsKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBlTETMBEGCgmSJomT8ixk enable_ssl: true
ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w pemkey_content: |-
bGUgQ29tIEluYy4xJDAiBgNVBAsMG0V4YW1wbGUgQ29tIEluYy4gU2lnbmluZyBD MIID2jCCAsKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBlTETMBEGCgmSJomT8ixk
ARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1wbGUxGTAXBgNVBAoMEEV4YW1w
bGUgQ29tIEluYy4xJDAiBgNVBAsMG0V4YW1wbGUgQ29tIEluYy4gU2lnbmluZyBD
... ...
pemkey_password: private_key_password pemkey_password: private_key_password
pemcert_content: |- pemcert_content: |-
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCHRZwzwGlP2FvL MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCHRZwzwGlP2FvL
oEzNeDu2XnOF+ram7rWPT6fxI+JJr3SDz1mSzixTeHq82P5A7RLdMULfQFMfQPfr oEzNeDu2XnOF+ram7rWPT6fxI+JJr3SDz1mSzixTeHq82P5A7RLdMULfQFMfQPfr
WXgB4qfisuDSt+CPocZRfUqqhGlMG2l8LgJMr58tn0AHvauvNTeiGlyXy0ShxHbD WXgB4qfisuDSt+CPocZRfUqqhGlMG2l8LgJMr58tn0AHvauvNTeiGlyXy0ShxHbD
... ...
``` ```