NetScaler ingress controller

Enable NetScaler certificate validation in the NetScaler Ingress Controller

December 31, 2023

Contributed by:

The NetScaler Ingress Controller provides an option to ensure secure communication between the NetScaler Ingress Controller and NetScaler by using the HTTPS protocol. You can achieve this by using pre-loaded certificates in the NetScaler. As an extra measure to avoid any possible man-in-the-middle (MITM) attack, the NetScaler Ingress Controller also allows you to validate the SSL server certificate provided by the NetScaler.

To enable certificate signature and common name validation of the ADC server certificate by the NetScaler Ingress Controller, security administrators can optionally install signed (or self-signed) certificates in the NetScaler and configure the NetScaler Ingress Controller with the corresponding CA certificate bundle. Once the validation is enabled and CA certificate bundles are configured, the NetScaler Ingress Controller starts validating the certificate (including certificate name validation). If the validation fails, the NetScaler Ingress Controller logs the same and none of the configurations are used on an unsecure channel.

This validation is turned off by default and an administrator can chose to enable the validation in the NetScaler Ingress Controller as follows.

Prerequisites

For enabling certificate validation, you must configure a NetScaler with proper SSL server certificates (with proper server name or IP address in certificate subject). For more information, see NetScaler documentation.
The CA certificate for the installed server certificate-key pair is used to configure the NetScaler Ingress Controller to enable validation of these certificates.

Configure the NetScaler Ingress Controller for certificate validation

To make a CA certificate available for configuration, you need to configure the CA certificate as a Kubernetes secret so that the NetScaler Ingress Controller can access it on a mounted storage volume.

To generate a Kubernetes secret for an existing certificate, use the following kubectl command:

  $ kubectl create secret generic ciccacert --from-file=path/myCA.pem –namespace default

  secret “ciccacert” created

Alternatively, you can also generate the Kubernetes secret using the following YAML definition:

    apiVersion: v1
    kind: Secret
    metadata:
      name: ciccacert
      data:
        myCA.pem: <base64 encoded cert>

The following is a sample YAML file with the NetScaler Ingress Controller configuration for enabling certificate validation.

kind: Pod
metadata:
  name: cic
  labels:
    app: cic
spec:
  serviceAccountName: cpx
  # Make secret available as a volume
  volumes:
  - name: certs
    secret:
      secretName: ciccacert
  containers:
  - name: cic
    image: "xxxx"
    imagePullPolicy: Always
    args: []
    # Mounting certs in a volume path
    volumeMounts:
    - name: certs
      mountPath: <Path to mount the certificate>
      readOnly: true
    env:
    # Set NetScaler ADM Management IP
    - name: "NS_IP"
      value: "xx.xx.xx.xx"
    # Set port for Nitro
    - name: "NS_PORT"
      value: "xx"
    # Set Protocol for Nitro
    - name: "NS_PROTOCOL"
      # Enable HTTPS protocol for secure communication
      value: "HTTPS"
    # Set username for Nitro
    - name: "NS_USER"
      value: "nsroot"
    # Set user password for Nitro
    - name: "NS_PASSWORD"
      value: "nsroot"
    # Certificate validation configurations
    - name: "NS_VALIDATE_CERT"
      value: "yes"
    - name: "NS_CACERT_PATH"
      value: " <Mounted volume path>/myCA.pem"
 

As specified in the example YAML file, following are the specific changes required for enabling certificate validation in the NetScaler Ingress Controller.

Configure Kubernetes secret as a volume

Configure a volume section declared with secret as the source. Here, secretName should match the Kubernetes secret name created for the CA certificate.

Configure a volume mount location for the CA certificate

Configure a volumeMounts section with the same name as that of secretName in the volume section
Declare a mountPath directory to mount the CA certificate
Set the volume as ReadOnly

Configure secure communication

Set the environment variable NS_PROTOCOL as HTTPS
Set the environment variable NS_PORT as ADC HTTPS port

Enable and configure CA validation and certificate path

Set the environment variable NS_VALIDATE_CERT to yes ( no for disabling)
Set the environment variable NS_CACERT_PATH as the mount path (volumeMounts->mountPath)/ PEM file name (used while creating the secret).

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Enable NetScaler certificate validation in the NetScaler Ingress Controller

December 31, 2023

Contributed by:

Enable NetScaler certificate validation in the NetScaler Ingress Controller

Prerequisites

Configure the NetScaler Ingress Controller for certificate validation

Configure Kubernetes secret as a volume

Configure a volume mount location for the CA certificate

Configure secure communication

Enable and configure CA validation and certificate path

In this article