Skip to Main Content
HCL Connections Ideas Portal

Welcome to the HCL Connections Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by the HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events, please visit our HCL Connections page.

Status Needs Review
Categories 14. Documentation
Created by Guest
Created on Mar 6, 2024

Securing all Component Pack traffic with TLS

Currently, there are 2 important unencrypted vectors in a Connections / Component Pack deployment.

a) Customizer traffic from NGINX to the Kubernetes nodes (30301/tcp) / Loadbalancer

b) All Component Pack traffic which is routed via IHS to the Kubernetes Loadbalancer

The connections for b is sent through Ingress which could be extended for encryption, but for the customizer (mw-proxy), I only see a running node web server which seems configured for unencrypted traffic.

The used ingress definition is already prepared for SSL (Service for 32443 is in place), just the ingress rules need adjustments.

The main issue is the ProxyPass from IHS because as far as I know, there is no way to use self-signed certificates (which are used in Ingress at the moment) for ProxyPass rules. Hostname validation seems hard-coded active in IHS.

Currently, clients connect to mw-proxy (customizer) using NodePort and is set to listen on 'http' only. The customizer service code would need to be updated to accept HTTPS requests. The other issue is appregistry-service - that is only HTTP as well.

The other services in Component Pack that the request/response are sent through Ingress are mix of HTTP and HTTPS.

The other configuration such as exchange of SSL certificates between IHS, NGINX/HAProxy and Kubernetes process need to be documented. This will allow us to enable HTTPS for NodePort service (mw-proxy) using self signed certificate (for example).

  • Attach files