-
-
-
Deploy NetScaler ingress controller with OpenShift router sharding support
-
Deploy NetScaler ingress controller using OpenShift Operator
-
Deploy NetScaler Observability Exporter using OpenShift Operator
-
Deploy NetScaler CPX as an Ingress in Azure Kubernetes Engine
-
Deploy NetScaler ingress controller in an Azure Kubernetes Service cluster with NetScaler VPX
-
Deploy NetScaler ingress controller for NetScaler with admin partitions
-
Multi-cloud and GSLB solution with Amazon EKS and Microsoft AKS clusters
-
-
SSL certificate for services of type LoadBalancer through the Kubernetes secret resource
-
BGP advertisement for type LoadBalancer services and Ingresses using NetScaler CPX
-
NetScaler CPX integration with MetalLB in layer 2 mode for on-premises Kubernetes clusters
-
Advanced content routing for Kubernetes Ingress using the HTTPRoute CRD
-
IP address management using the NetScaler IPAM controller for Ingress resources
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Enable NetScaler certificate validation in the NetScaler Ingress Controller
The NetScaler Ingress Controller provides an option to ensure secure communication between the NetScaler Ingress Controller and NetScaler by using the HTTPS protocol. You can achieve this by using pre-loaded certificates in the NetScaler. As an extra measure to avoid any possible man-in-the-middle (MITM) attack, the NetScaler Ingress Controller also allows you to validate the SSL server certificate provided by the NetScaler.
To enable certificate signature and common name validation of the ADC server certificate by the NetScaler Ingress Controller, security administrators can optionally install signed (or self-signed) certificates in the NetScaler and configure the NetScaler Ingress Controller with the corresponding CA certificate bundle. Once the validation is enabled and CA certificate bundles are configured, the NetScaler Ingress Controller starts validating the certificate (including certificate name validation). If the validation fails, the NetScaler Ingress Controller logs the same and none of the configurations are used on an unsecure channel.
This validation is turned off by default and an administrator can chose to enable the validation in the NetScaler Ingress Controller as follows.
Prerequisites
-
For enabling certificate validation, you must configure a NetScaler with proper SSL server certificates (with proper server name or IP address in certificate subject). For more information, see NetScaler documentation.
-
The CA certificate for the installed server certificate-key pair is used to configure the NetScaler Ingress Controller to enable validation of these certificates.
Configure the NetScaler Ingress Controller for certificate validation
To make a CA certificate available for configuration, you need to configure the CA certificate as a Kubernetes secret so that the NetScaler Ingress Controller can access it on a mounted storage volume.
To generate a Kubernetes secret for an existing certificate, use the following kubectl command:
$ kubectl create secret generic ciccacert --from-file=path/myCA.pem –namespace default
secret “ciccacert” created
Alternatively, you can also generate the Kubernetes secret using the following YAML definition:
apiVersion: v1
kind: Secret
metadata:
name: ciccacert
data:
myCA.pem: <base64 encoded cert>
The following is a sample YAML file with the NetScaler Ingress Controller configuration for enabling certificate validation.
kind: Pod
metadata:
name: cic
labels:
app: cic
spec:
serviceAccountName: cpx
# Make secret available as a volume
volumes:
- name: certs
secret:
secretName: ciccacert
containers:
- name: cic
image: "xxxx"
imagePullPolicy: Always
args: []
# Mounting certs in a volume path
volumeMounts:
- name: certs
mountPath: <Path to mount the certificate>
readOnly: true
env:
# Set NetScaler ADM Management IP
- name: "NS_IP"
value: "xx.xx.xx.xx"
# Set port for Nitro
- name: "NS_PORT"
value: "xx"
# Set Protocol for Nitro
- name: "NS_PROTOCOL"
# Enable HTTPS protocol for secure communication
value: "HTTPS"
# Set username for Nitro
- name: "NS_USER"
value: "nsroot"
# Set user password for Nitro
- name: "NS_PASSWORD"
value: "nsroot"
# Certificate validation configurations
- name: "NS_VALIDATE_CERT"
value: "yes"
- name: "NS_CACERT_PATH"
value: " <Mounted volume path>/myCA.pem"
<!--NeedCopy-->
As specified in the example YAML file, following are the specific changes required for enabling certificate validation in the NetScaler Ingress Controller.
Configure Kubernetes secret as a volume
- Configure a volume section declared with
secretas the source. Here,secretNameshould match the Kubernetes secret name created for the CA certificate.
Configure a volume mount location for the CA certificate
- Configure a
volumeMountssection with the same name as that ofsecretNamein the volume section - Declare a
mountPathdirectory to mount the CA certificate - Set the volume as
ReadOnly
Configure secure communication
- Set the environment variable
NS_PROTOCOLas HTTPS - Set the environment variable
NS_PORTas ADC HTTPS port
Enable and configure CA validation and certificate path
- Set the environment variable
NS_VALIDATE_CERTtoyes(nofor disabling) - Set the environment variable
NS_CACERT_PATHas the mount path (volumeMounts->mountPath)/ PEM file name (used while creating the secret).
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.