Managing certificates with Vault

By default, the HCL Commerce Docker containers support the use of Vault as the certificate management system.

For more information about Vault, see Vault.

Internal certificates

For the internal certification between the HCL Commerce Docker containers, you must ensure that the Common Name (CN) in your certificate and "SubjectAlternativeName" can match the host name that the Docker containers will use. Also, when other source containers connect to a target container, the source container must use the target container's host name. There is strict verification logic in place to check whether the host name that is used in a request is the same as the SubjectAlternativeName in the certificate on the target container. If the host names do not match, then the connection fails.

Here are the SubjectAlternativeNames in the default internal certification that is included in the HCL Commerce Docker containers:
SubjectAlternativeName [
[DNSName: app, DNSName: db, DNSName: search, DNSName: store, DNSName: xc]
]
If you do not use the default host names then you need to reconfigure the connections between containers. To learn how to create your own certificates, see Managing certificates manually. Otherwise you can use Vault as the certificate authority (CA).

Configuring Vault to act as the certificate authority (CA)

You can configure Vault as a CA with a PKI backend. If you want use this method, you need to hard code the PKI backend name as 'selfserve_production_pki' and PKI role as 'generate-cert'. Assuming that you have Vault installed, unsealed, and an environment that has a Vault client that can connect to the Vault server with the correct address and token, you can complete the following steps to set up Vault as a CA.
  1. Create a PKI type backend.
    vault mount -path=selfserve_production_pki -description="SelfServe Root CA" -max-lease-ttl=87600h pki
  2. Enable Vault PKI feature to act as the CA organization to issue certificates.
    1. Run the command to create a Root CA Certificate.
      vault write selfserve_production_pki/root/generate/internal  common_name="selfserve_production_pki Root CA"  ttl=87600h  key_bits=4096  exclude_cn_from_sans=true
    2. Run the following command to create a role that will be used to issue certification for each Docker container.
      vault write selfserve_production_pki/roles/generate-cert key_bits=2048 max_ttl=8760h allow_any_name=true
      The command completes with a Success! Data written to: selfserve_production_pki/roles/generate-cert message.
  3. Verify whether you can get certification from PKI.
    curl -sS -X POST -H "X-Vault-Token:<Vault_token>" -d "{\"common_name\":\"<common_name>\", \"ttl\":\"1344h\"}" http://<Vault_IP>:8200/v1/selfserve_production_pki/issue/generate-cert
    You should receive a response similar to the following output.
    Key Value
    --- -----
    lease_id cuddletech_ops/issue/web_server/e03318f2-d005-8196-4ed5-a42f9cd55238
    lease_duration 2591999
    lease_renewable false
    certificate -----BEGIN CERTIFICATE-----
    MIIE7jCCAtagAwIBAgIUN+vXFuIf42v1SW+mDROUVAm+lUMwDQYJKoZIhvcNAQEL
    BQAwKTEnMCUGA1UEAxMeQ3VkZGxldGVjaCBPcHMgSW50ZXJtZWRpYXRlIENBMB4X
    DTE2MDcwOTA5MzE1N1oXDTE2MDgwODA5MzIyN1owIjEgMB4GA1UEAwwXc3NsX3Rl
    ...
    issuing_ca -----BEGIN CERTIFICATE-----
    MIIF5DCCA8ygAwIBAgIUdhJTQb4YmCyhUUr48L20o0R+dFkwDQYJKoZIhvcNAQEL
    ...
    private_key -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEApBabDpPZIloRQUpro3tQEls0FEFvsvfraQzQJLD2dicSPZ2s
    CqYyT8OXMclrapG7KKTYp79AaTW8LgNg3WvCzoMGDfhLL9m0QomzrMDzoW8Q7iQO
    1MV4f6JXjGMbOMMXatKQlO32fLZln8m+/yJ3pOW0S6uatFzZ/N3+ed+gDuUc7eAO
    ...
    private_key_type rsa
    serial_number 37:eb:d7:16:e2:1f:e3:6b:f5:49:6f:a6:0d:13:94:54:09:be:95:43
    '''

Starting a container with VAULT_CA=true

After you configured Vault as the CA, you can start the container with the VAULT_CA=true parameter. Use this method in a Docker orchestration platform such as Kubernetes. When VAULT_CA=true, the scripts follow the <TENANT><ENVIRONMENT><ENVTYPE><container_name>.<DOMAIN_NAME> pattern to apply certifications. With this mode, the host name is fixed. If you do not provide a DOMAIN_NAME, the default is default.svc.cluster.local.
HCL Commerce Version 9.0.0.2 or later

Starting a container with VAULT_CA=true and CONTAINER_HOSTNAME=<customHostName>

Starting with HCL Commerce Version 9.0.0.2, you can start the container with VAULT_CA=true and CONTAINER_HOSTNAME=<customHostName>. Use this method on your own custom environment where you do not have <TENANT><ENVIRONMENT><ENVTYPE>. When CONTAINER_HOSTNAME is passed, the start up logic /SETUP/bin/updateCerts.sh applies the internal certification based on the host name that you provide. For example, to start the Store server Docker container with host name mycustomstore
docker run -d -e LICENSE=accept  \
    -e SPIUSER_NAME=spiuser \
    -e SPIUSER_PWD=<Your spiuser password that you encrypted with wcs_encrypt.sh>
    -e VAULT_TOKEN=<vault_token > \
    -e VAULT_URL=<vault_url. For example, http://IP:Port/v1> \
    -e VAULT_CA=true \  
    -e CONTAINER_HOSTNAME=mycustomstore    
    <Store_Docker_Image>

External Certificates

For secure SSL communication between HCL Commerce and an external system, ensure that you are importing the proper certificates into your key store and trust store. Also ensure that your customization code references the correct certificate name for that communication. You can put your third party certificates in Vault to enable the updateCerts.sh configuration script to import any certificates into your key store automatically.

To include external certificates:

  1. Create a certificate bundle (certBundle) for your external certificate.
    Note: If the purpose of a certificate bundle that you are creating is to trust a certificate assigned for an external system, then only the issusing_ca must be specified. In this case the certificate and private_key values can be empty, or left out of the certBundle definition entirely.
    A certBundle is a JSON object containing a certificate, its private key, and the certificate authority (CA) certificate or certificate chain. An example of a certBundle is as follows.
    { 
     "certificate": "certificate", 
     "private_key": "private_key", 
     "issuing_ca": "<ca_certificates" 
    } 
    The contents of the certificate bundle are as follows.
    • The certificate value holds the certificate, in base64 PEM format, that should be assigned to the specified HCL Commerce application server:
      • The value of this certificate should be wrapped within -----BEGIN CERTIFICATE-----\n and -----END CERTIFICATE----- lines of text.
      • The value of the certificate should only be one line of text, and be concluded by an \n, to denote the end of line.
      • An example of the certificate value is as follows.
        -----BEGIN CERTIFICATE-----\nMIIETDCCAjSgAwIBAgIUTrvpjzgpyt6L9AWj2E0W4ps2woswDQYJKoZIhvcNAQEL\nBQAwKzEpMCcGA1UEAwwgc2VsZnNlcnZlX3Byb2R1Y3Rpb25fcGtpIFJvb3QgQ0Ew\nHhcNMTcwOTI2MDQ1NzM3WhcNMTcxMTIxMDQ1ODA3WjAPMQ0wCwYDVQQDEwR0ZXN0\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuWgQ5P9KjpgplOyejAE\nj5pDgSmQ6mZkbqY6gnIIKlw1I4Vulaigmeiir37NcAHtLA9HrpqafKoQqt3RPIFq\nMq2qb728JUNqdkmgp1QRnXdRVqrvGxT3o6XLMmxpkniwL+f3A/qFzuBgDJVltKLn\n1e0O3conPiiGtqaZ70+1lccKkKviLoin13T+27gFFws6dT74znCxT8c/ikXGMja1\nTDEddd+qkXlo4At104Fo7Uhx95JWorSljSTaCQkEeOjX+8SJHkARSrKeGEvkBESp\nXD23oUY9MlxGQnldioLAI5Eu8fRo3PKQUhuFnuoxTr0pO7R60AEe8E0sVU/cE3Ut\nswIDAQABo4GDMIGAMA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcD\nAQYIKwYBBQUHAwIwHQYDVR0OBBYEFLfcxphP+aSe61Mdi8IDP7bBvGXdMB8GA1Ud\nIwQYMBaAFA2X7xP+NiXXNXhJy3UQqocENxRTMA8GA1UdEQQIMAaCBHRlc3QwDQYJ\nKoZIhvcNAQELBQADggIBAH3oLFPSSgubbwhXycm+oTMnEZyUwKfwAjkc2mykDZ/p\nPPrHZKCfMuWNf8mp7mK0K8O2JjBKbUlUUJZgd/8/9d0vLqU7Hf97Xk/8d0Rxwqgd\n2OmdujQpj49NFoAC+jAcGFXASwvGAzWg4ylTi+zvpUbVpLk0hOpYnJFvxEcXj0ab\nul9Mq0hrjarmkPAoDhmWjUQG8EKiJEelIv5r4OuNIDl+N5B3BNU+g8nz4GWJKIbP\n6dEb98GJh0tFqOHoxewVmrCmMnsGfJYJDqLg+CwXHSNS8xYQnuFzcJXQ4j7Kge5P\nCeMB6fizgTiUXFexjbTv6RUk1DfOywtRu7Wus9joTpDILb/WlIUlGvRj2j395BvK\naq5nLcgSpmO46776uobh6MN6se1kmpJ20sjUZWEtJsKODSAv7LA9jsMWhh1SGEWf\nUuQ1hUKHZ2073hgc0InmYGGyTJAnI3mYIbL+ddprK1CpORAH2cruqn9I192sCWNw\npZIxuMCiRUrFWitKEkFwPfmDbVhPQ/ZvxMcdAHXJ+ZQ9RxcanmcBGnlvCjidOBZa\naLN2/Y99M26z+XcYG9rN0fx5Htf4UDENQ8kp8TITmyHdwvqVox/UXcPWzV3MD7+I\nn0UdA2lqnM2Rv+kg2MGm0u9Y/noZz4IS4YTlfxMbGF212ROcCC9/oQYy321NqBns\n-----END CERTIFICATE-----
    • The private_key value holds the private key matching the certificate, and it is required to install the certificate for the HCL Commerce application server:
      • The value of this certificate should be wrapped within -----BEGIN RSA PRIVATE KEY-----\n and -----END RSA PRIVATE KEY----- lines of text.
      • The value of the certificate should only be one line of text, and be concluded by an \n, to denote the end of line.
      • An example of the certificate value is as follows.
        -----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAtuWgQ5P9KjpgplOyejAEj5pDgSmQ6mZkbqY6gnIIKlw1I4Vu\nlaigmeiir37NcAHtLA9HrpqafKoQqt3RPIFqMq2qb728JUNqdkmgp1QRnXdRVqrv\nGxT3o6XLMmxpkniwL+f3A/qFzuBgDJVltKLn1e0O3conPiiGtqaZ70+1lccKkKvi\nLoin13T+27gFFws6dT74znCxT8c/ikXGMja1TDEddd+qkXlo4At104Fo7Uhx95JW\norSljSTaCQkEeOjX+8SJHkARSrKeGEvkBESpXD23oUY9MlxGQnldioLAI5Eu8fRo\n3PKQUhuFnuoxTr0pO7R60AEe8E0sVU/cE3UtswIDAQABAoIBAB3kQ6An1K2NIvSs\nIzRTGru5k6TNfVDB8VIgOtnM90atEUY/7YXqLG1bFxOlnr/aoL+ds7J2tB8B0H2M\niUDhSdEEjyF6GgDhFspEWExgsgxRTuriPvfnIl4Nn7sa+tokfW8m8zkkPbBE/Y2w\n8RFnuoo9FzvqaSWAjBvX+LqjBWN4AGHxPcBcZs/H4U7RvdO0etX2Zbpjs62K/KO3\ni3e4MXgGZtj0Vx2LYD/AYSbqEoo1v8/U1AbGmsCTTNc2EwARhyb1zUgO7yc9yft6\nUoAC6pZjxOFsJtwz26jpNdqXz9t1xml3XnNusqHe+hgStQlIL2mgU8qj18q5pqpu\nkehM9LECgYEAxiU9WA7kQTp8hGKTRqrRbcGBsLTGxsYeILFQggtJBOZ5ngOH35Nd\nUIzQ1EjKODFEzGH9qPBBfE6BNdl3naHuYgIS3Uz8FCAwsOZAW6X8tC7VU/ZrwKUA\nF3Rc2iek+J1bdaz5o3hnR2eY/6kVuNHznxqIzK+JuZ7Dq/wEMlAL4gkCgYEA7Eyb\n4uyQFMXfPLiZPn7opNlgmi4i5lNLbPAjJq0dagdP8HbhLBqQThMcyAnu9rJmNm6t\n2Wu8kkKIpcZiGOVzFQvoTWOm6KGU/nIFFH1p6AAz/hvhATFA8HpLe9B7la9T6c5R\nabbtFbUNrHyoieMsIxkrjPo1zVIThLJeIVdoUNsCgYEAwuhKyV4MpSU06rxUhsTs\nsXwRaJLKnSiw5hPFT8ZuE0XrB8YNV52LwvphSRA46sF8HVeevxlmMTK/4wqBoSty\nZDIKAGoD5IAtpTU4xW4nf845xhe1spAb4PZzh5xLqMqQ9tYp0eVUImcDlyjp1x2e\n+TiOrFlXrqE/dOO39Q3MQpECgYEA5plMd4OMh/kiBcvQIOEQf+9zCoODo2od7U3b\nv96pGdPQ+0XIMJYrxUV5jO3EuhMXFH+mQMuW1tT/LWgQS2N/j0ZziTJ6rAMjt7vl\noT1SoQmxs4XZaqR6TzPJfibStBzJsx2Y7aWKcOijU3TDtOxxIj9p9MYowxoZ2iGH\nItp9/okCgYEAh6lbVbf77NArp1FsocQoeZ2ZL1hsOXpmRwpNmePPA6DfjqJyttpH\ngSh8Z0daqMvojStilhwIkEURy9ITuPYoKt2blWQY8RY//H1zFnwKg2AJR5PvlWcT\n0JBxt4cHMYy6jW2Q8/ZTVuttPd+UVIDehTFN6oyWF6FBgKxLO5bSjzc=\n-----END RSA PRIVATE KEY-----
    • The issuing_ca value holds the certificate authority (CA) certificate, or certificate authority certificate chain, that are used to validate the certificate. For example, if the certificate is signed by an intermediate CA certificate, both the intermediate CA certificate and its root CA certificate should be included within the issuing_ca value.
      • The value of this certificate should be wrapped within -----BEGIN CERTIFICATE-----\n and -----END CERTIFICATE----- lines of text.
      • The value of the certificate should only be one line of text, and be concluded by an \n, to denote the end of line.
      • An example of the issuing_ca value is as follows.
        -----BEGIN CERTIFICATE-----\nMIIFJjCCAw6gAwIBAgIUDUnfHPvwqpztM2lJh40lVUmTjV8wDQYJKoZIhvcNAQEL\nBQAwKzEpMCcGA1UEAwwgc2VsZnNlcnZlX3Byb2R1Y3Rpb25fcGtpIFJvb3QgQ0Ew\nHhcNMTcwODI1MDUwNTEzWhcNMjcwODIzMDUwNTQzWjArMSkwJwYDVQQDDCBzZWxm\nc2VydmVfcHJvZHVjdGlvbl9wa2kgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD\nggIPADCCAgoCggIBAM5LpBH9Qyg5VjTkdMj61gt72CVIrqE5s9iD+Bpb2hlLnWdb\n52FtcgCxIRca8kJhCYK53dNVmCP8d7LSzogxdIHyzEe5f405ukJVZIbYEYcA4BLK\n3UU322bYJkTTToABwV+XhlHjLhaze9GLo4snCklxAzafWvqR1C0faB2dPtq5WyQi\n/2uCvGHcpqe/ozNvZON6eYkjQpCwHftR0TwVVb435hvJb6FeeV95MgVq/C0pZFG4\nGLgJNj4GK4BtG2wsIDVMMcaoFrSKfKDqyE+4ekvzYP4nDzbYK5XsgH7/7XB9tL7w\nwMVj0J1mR3TbxVTBZyk509F0oXqBcNb6vvybJevhDlkXMQPgxyOmogm6GUQ3beMX\nsRpN5uotnbWaF0MQbgo8YrgQX3BGrLmKRfk9rIMoBKabptDMRw5Df1ouu5D9Jb3b\n3nlelkRXR5qb0R68CM0S78KqVB32NQsLixQ58YUKmcvlQcaIF9cwC28+LYm4sRq/\nV0tCl68K19PmgZT+Qr0Apakw+vlQ8ojvT+/wTVtg+gphuG7Ovv00xRXa/dpoC3Ff\nOktxUmu3bh4YU/IVCT3+YbwB7vyOfKGTwSmVK+s5gt4MDM65zX58xa85psJI8mqP\nCwKGDleglrAIrHxxg2wKrIibiIriSnjJsKqCzpcm9+6V4zewwQFqdfr1R92rAgMB\nAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\nBBQNl+8T/jYl1zV4Sct1EKqHBDcUUzANBgkqhkiG9w0BAQsFAAOCAgEAYo+vaKzi\nW2YTogGvuDvWnFzDtRa6zfB1UNqUTiacmr9ISqTDGJPOE7o7+5//31yS63/VuPAb\nsskfjtbywGUcjLEoa//vqDUA5VPQSr2MGpqZItt+QQ7eIQPQEt6IaqohmIxvgyDI\nvV35Ld06slZju9IZJdOx5GyRU49ZrhTciNeHBFJbPTzTWw7swjP1Kj13BJ9++YlU\ndHHnJecMgRPXbbFn8cThcIUwhaTEWFhlC7zc4YUpTm8nmHaCLmG8TM7tYLaymHqd\nypMBa3TrGr4+XIgwkWWb9h9+JnlBXc+aq2pJulErzN3raytzv+iTOwcI+YCufgee\nAf25Zzk9t75KIHjSdqu1U/QXiPSgJgr7o2yrtZbeLT+eMHuhCfbuWduipuRgTlUk\na8hvoiFDabCrlJABDYHNO8WMCIqX9qja0crqA1JbPXAEMiYwdtoU+p27CtNupGVE\nQENamacyYD5VhApTnxACwwakMep0jDYQUXUYTeLz6Aj3vVUJl54/3Uqbh6fxKamh\n8xDeb+HjhO5UKDkfAH0qe17qSGGVftMI3YMPCEqrvnnoVl8VHxpvdVjjJoHEEKoE\ne8mrX4Jp9O3xVcGFItMQQzvWc1A47ewqIy6x+bk+0W8fL6+rKd+8U7aRIvC7LFiw\nluvq3QIacuHULtox36A7HFmlYDQ1ozh+tLI=\n-----END CERTIFICATE-----
  2. Write the certBundle data to Vault.
    Important: Each certBundle must have a unique name. For example, cert1 and cert2.
    For example, the following curl command writes the contents of the certBundle, cert_bundle_json, to the cert1 definition under a specified tenant and environment.
    curl -sS -X POST -H "X-Vault-Token:<Vault_token>" -d "{\"value\":<cert_bundle_json>}" http://<Vault_IP>:8200/v1/<tenant>/<environment>/certs/cert1 
  3. Specify which certBundle certificates should be deployed to each HCL Commerce application server.

    This is done by updating the certsBundle definition on your specified tenant and environment, {tenant}/{environment}/certsBundle, with the following JSON object format.

    { 
        "tsapp": "cert1,cert2", 
        "crsapp": "cert1,cert2", 
        "searchapp": "cert1,cert2", 
        "xcapp": "cert1,cert2", 
        "storeapp": "cert1,cert2" 
    } 

    In this example, both certsBundle cert1 and cert2 are deployed to, and applied within, five HCL Commerce application servers.

  4. Deploy your HCL Commerce applications to apply the external certificates.

    Certificates will not be applied by the updateCerts.sh utility script without a deployment to trigger it.