SSL Environment Variable Reference

The following table lists the environment variables that are required for SSL/TLS communications to work in your docker environment.

To configure these values for all services, you set the environment variable in the idol-ssl.env file.

If required, you can also modify the environment variables for an individual service by creating an environment section in the docker-compose.ssl.yml file section for that service. However, in most cases the default values are suitable and this approach is not required.

IMPORTANT: The idol-nifi container has its own environment variable, USE_SSL to activate SSL, and it uses the ssl-volume bind mount to retrieve certificates. NiFi Ingest does not use the other environment variables listed here.

NiFi Ingest uses SSL only to communicate with your IDOL components, and does not use HTTPS to restrict access to the user interface.

Variable Description
IDOL_SSL You must set this value to activate SSL.
IDOL_SSL_SUBJ_ALT_NAME The second DNS Name entry in Subject Alternative Name in the certificate. This value is service-specific.
IDOL_SSL_CACERT The directory path to the issuing certificate for the CA, relative to IDOL_SSL_SSL_CA_MOUNTDIR. This value is specific to your CA setup.
IDOL_SSL_CAKEY The directory path to the private key for the issuing certificate for the CA, relative to the IDOL_SSL_SSL_CA_MOUNTDIR. This value is specific to your CA setup.
IDOL_SSL_CAPASS The password for IDOL_SSL_CAKEY. This value is specific to your CA setup.

The following table describes optional environment variables, which you might need to change to match any differences for your Certificate Authority setup.

Variable Default Description
IDOL_SSL_CA_MOUNTDIR /ssl The directory where the bind mount for the SSL Certificate Authority is mounted on the container. This value is container-specific.
USER_SSL_CERTS_DIR certs The directory path where the containers can generate and find certificates, relative to IDOL_SSL_CA_MOUNTDIR. This value is specific to your CA setup.
IDOL_SSL_COMMON_NAME idol-${IDOL_COMPONENT} The COMMON_NAME for the certificate. Docker populates the value of ${IDOL_COMPONENT} internally when it builds the component container. This value is also the first DNS Name entry in Subject Alternative Name, for example idol-content.
USER_SSL_CRL_DIR crl The directory path to use to store CRL information, relative to IDOL_SSL_CA_MOUNTDIR. This value is specific to your CA setup.
USER_SSL_NEWCERTS_DIR newcerts

The directory path to use to generate newcerts, relative to IDOL_SSL_CA_MOUNTDIR. This value is less important than USER_SSL_CERTS_DIR, and is specific to your CA setup.

USER_SSL_DATABASE_FILE index.txt The file name of the database of issued certificates for your Certificate Authority. This value is specific to your CA setup.
USER_SSL_SERIAL_FILE serial The file name of the serial file for your Certificate Authority. This value is specific to your CA setup.
USER_SSL_RANDFILE private/.rand The directory path to the randfile for your Certificate Authority, relative to IDOL_SSL_CA_MOUNTDIR. This value is specific to your CA setup.
USER_SSL_CRLNUMBER_FILE crlnumber The file name of the CRLNumber file for your Certificate Authority. This value is specific to your CA setup.
USER_SSL_CRL_FILE crl/intermediate.crl.pem The directory path to the CRL file for your Certificate Authority, relative to IDOL_SSL_CA_MOUNTDIR. This value is specific to your CA setup.
USER_ISSUING_CA_PKCS12 intermediate.pkcs12 The directory path to the PKCS 12 file of the issuing certificate and private key, relative to IDOL_SSL_CA_MOUNTDIR/USER_SSL_CERTS_DIR. This value is specific to your CA setup.
ROOT_CERTIFICATE ca.cert.pem The directory path to a copy of the root certificate PEM file, relative to IDOL_SSL_CA_MOUNTDIR/USER_SSL_CERTS_DIR. This value is specific to your CA setup.
CA_CHAIN_FILE ca-chain.cert.pem The directory path to a chain PEM file for the issuing and root certificates, relative to IDOL_SSL_CA_MOUNTDIR/USER_SSL_CERTS_DIR.