SSL Environment Variable Reference
The following table lists the environment variables that are required for SSL/TLS communications to work in your docker environment.
To configure these values for all services, you set the environment variable in the idol-ssl.env
file.
If required, you can also modify the environment variables for an individual service by creating an environment
section in the docker-compose.ssl.yml
file section for that service. However, in most cases the default values are suitable and this approach is not required.
IMPORTANT: The idol-nifi
container has its own environment variable, USE_SSL
to activate SSL, and it uses the ssl-volume
bind mount to retrieve certificates. NiFi Ingest does not use the other environment variables listed here.
NiFi Ingest uses SSL only to communicate with your IDOL components, and does not use HTTPS to restrict access to the user interface.
Variable | Description |
---|---|
IDOL_SSL
|
You must set this value to activate SSL. |
IDOL_SSL_SUBJ_ALT_NAME
|
The second DNS Name entry in Subject Alternative Name in the certificate. This value is service-specific. |
IDOL_SSL_CACERT
|
The directory path to the issuing certificate for the CA, relative to IDOL_SSL_SSL_CA_MOUNTDIR . This value is specific to your CA setup. |
IDOL_SSL_CAKEY
|
The directory path to the private key for the issuing certificate for the CA, relative to the IDOL_SSL_SSL_CA_MOUNTDIR . This value is specific to your CA setup. |
IDOL_SSL_CAPASS
|
The password for IDOL_SSL_CAKEY . This value is specific to your CA setup. |
The following table describes optional environment variables, which you might need to change to match any differences for your Certificate Authority setup.
Variable | Default | Description |
---|---|---|
IDOL_SSL_CA_MOUNTDIR
|
/ssl
|
The directory where the bind mount for the SSL Certificate Authority is mounted on the container. This value is container-specific. |
USER_SSL_CERTS_DIR
|
certs
|
The directory path where the containers can generate and find certificates, relative to IDOL_SSL_CA_MOUNTDIR . This value is specific to your CA setup. |
IDOL_SSL_COMMON_NAME
|
idol-${IDOL_COMPONENT}
|
The COMMON_NAME for the certificate. Docker populates the value of ${IDOL_COMPONENT} internally when it builds the component container. This value is also the first DNS Name entry in Subject Alternative Name, for example idol-content . |
USER_SSL_CRL_DIR
|
crl
|
The directory path to use to store CRL information, relative to IDOL_SSL_CA_MOUNTDIR . This value is specific to your CA setup. |
USER_SSL_NEWCERTS_DIR
|
newcerts
|
The directory path to use to generate |
USER_SSL_DATABASE_FILE
|
index.txt
|
The file name of the database of issued certificates for your Certificate Authority. This value is specific to your CA setup. |
USER_SSL_SERIAL_FILE
|
serial
|
The file name of the serial file for your Certificate Authority. This value is specific to your CA setup. |
USER_SSL_RANDFILE
|
private/.rand
|
The directory path to the randfile for your Certificate Authority, relative to IDOL_SSL_CA_MOUNTDIR . This value is specific to your CA setup. |
USER_SSL_CRLNUMBER_FILE
|
crlnumber
|
The file name of the CRLNumber file for your Certificate Authority. This value is specific to your CA setup. |
USER_SSL_CRL_FILE
|
crl/intermediate.crl.pem
|
The directory path to the CRL file for your Certificate Authority, relative to IDOL_SSL_CA_MOUNTDIR . This value is specific to your CA setup. |
USER_ISSUING_CA_PKCS12
|
intermediate.pkcs12
|
The directory path to the PKCS 12 file of the issuing certificate and private key, relative to IDOL_SSL_CA_MOUNTDIR/USER_SSL_CERTS_DIR . This value is specific to your CA setup. |
ROOT_CERTIFICATE
|
ca.cert.pem
|
The directory path to a copy of the root certificate PEM file, relative to IDOL_SSL_CA_MOUNTDIR/USER_SSL_CERTS_DIR . This value is specific to your CA setup. |
CA_CHAIN_FILE
|
ca-chain.cert.pem
|
The directory path to a chain PEM file for the issuing and root certificates, relative to IDOL_SSL_CA_MOUNTDIR/USER_SSL_CERTS_DIR . |