For information about the Luminate Security platform, its basic architecture and how to get started with it, please read the Getting Started article.
The Luminate Connectors deployed in the customers' datacenters are opening two types of secure HTTPS connections:
- Connections with the Luminate Security Cloud
- Connections with Internal Corporate Applications
Authentication for connectivity of type #1 is always carried out with certificates issued by Certificate Authorities that can be recognized and validated by Luminate Connectors. The only exception is when dealing with authorized enterprise TLS-Inspecting proxies deployed in the corporate data centers. Please read this article for an explanation of security risks that such a configuration may introduce.
Authentication for connectivity of type #2, i.e., connections with internal web servers deployed in the customers' datacenters using HTTPS, can require the Connector to validate certificates that are either self-signer or are issued by a Certificate Authority that is not generally recognizable.
In order to overcome the above challenge, the Self-Signed Certificates or CA Root Certificates required to validate certificates issued by Enterprise CAs should be added to the list of trusted certificates for all Luminate Containers running in the relevant datacenters.
The below procedure requires access to the Linux host running one or more Luminate Connectors, additionally assuming that the Connectors are distributed as Docker Containers.
Step I - Create a Combined Certificates File
Collect all the self-signed certificates, or the Root Certificates of the Enterprise Certificate Authority used in the organization and concatenate them into a single .CRT file. The certificates can be either in DER or ASCII PEM format.
For the following steps of this guide we will assume that the combined certificates file is called combined.crt.
Step II - Connect to the Linux Host running the Luminate Connectors
Please connect to the host running the Connectors. Depending on the container orchestrator used, please generate a list of containers for the running connector. These containers can be identified by their image being luminate/connector.
Please copy the combined.crt file defined in the previous step to the host file system.
If your deployment involves a number of hosts running Luminate Connectors, please repeat this step and all the steps after it for each host.
Step III - Copy the Combined Certificates File into the Luminate Connector Containers
The easiest way to copy a file into a running container is using docker cp command.
docker cp combined.crt <container_name>:/usr/local/share/ca-certificates
Where <container_name> is either the name or the ID of a container retrieved in step II. Naturally, if more than one Luminate Connector is running on the host, this step and the following ones need to be repeated for each one of them.
Step IV - Refresh Certificates for the Connector Container OS
After copying the combined certificates file, the operating system needs to be notified about the existence of new certificates. There are a number of ways to trigger this mechanism, the one we recommend is by running the dpkg-reconfigure ca-certificates command inside the containers.
If the containers are running using Docker as their orchestrator, the easiest way to run this command inside the container is by executing docker exec command:
docker exec -it <container_name> <command>
When <container_name> is either the name or the ID of a container retrieved in step II, and <command> is either shell (such as bash, that will allow executing the dpkg-reconfigure ca-certificates command) or a dpkg-reconfigure ca-certificates command directly.
Step V - Restart the Luminate Connector Containers
Depending on the orchestrator used to manage the Luminate Connector containers (Docker, AWS Elastic Container Service, Kubernetes, ...), the command for restarting the containers should be issued.
For containers orchestrated using a Docker engine, please use the following command:
docker restart <container_name>