TLS Configuration
The following topics describe how to modify the EMS server template and the Docker image build script so that EMS clients can connect to the server through TLS (formerly SSL).
Whether an EMS listen port is configured for TCP or TLS makes no difference in terms of exposing it through a service. However, you need to decide how to provision the corresponding certificate files.
While these could be placed in the NFS shared folder or embedded in the EMS Docker image, the standard practice in the OpenShift world consists of using secret objects. These are meant to decouple sensitive information from the pods and can be mounted into containers as volumes populated with files to be accessed by programs.
In this example, the EMS server will be authenticated by EMS clients. This involves providing the server with its certificate, private key and the corresponding password, which we will store inside a secret. We will mount that secret into the container, point the EMS server configuration to the certificate and private key files and pass the corresponding password to the server through its -ssl_password command-line option.
Based on the sample certificates that ship with EMS, the files will eventually be made available inside the container as follows:
/etc/secret/server.cert.pem /etc/secret/server.key.pem /etc/secret/ssl_password