Administrating¶
Under normal circumstances, the Administrator does not need to do anything once the system is set up. Things that the Administrator have to do includes
creating additional entities in Vault such as QKD device controller.
Adding additional trusted CA chains of client in
traefik
Adding additional QKD device controller in Vault¶
To be documented..
Traefik TLS configuration¶
This authentication can be performed with different granularity levels:
Installation of root CA certificate (not recommended)
Installation of intermediate CA certificate chain - appropriate for bulk authentication of SAEs that belong to the same organization
Installation of client certificate chain - only the single client certificate is authenticated
Warning
This method unconditionally authenticates all SAEs that belong to the installed certificate chain, which can introduce a potential security risk. Additional measures such as X.509 extended attributes may be utilized to distinguish clients.
The configuration file can be found under tls.yml
# Traefik dynamic configuration file
# Specifically for TLS settings
.
.
.
.
clientAuth:
caFiles:
# Allow clients from both KME CA chains
- /certificates/{{ env "LOCAL_KME_ID" }}/rest/rest.ca-chain.cert.pem
- /certificates/{{ env "REMOTE_KME_ID" }}/rest/rest.ca-chain.cert.pem
# Allow only local SAE client CA chain
- /certificates/{{ env "LOCAL_KME_ID" }}/{{ env "LOCAL_SAE_ID" }}/{{ env "LOCAL_SAE_ID" }}.ca-chain.cert.pem
# Add additional trusted CA Chains
# - /certificates/other-trusted-root-ca.cert.pem
# - /certificates/other-trusted-int-ca.cert.pem
# - /certificates/trusted-client-ca.cert.pem
clientAuthType: RequireAndVerifyClientCert
.
.
.
This is a dynamic configuration file meaning that Traefik will automatically update the TLS configurations without having to be brought down and up again.