Secure the SEAL Operator Services¶

For security reasons, SEAL Systems strongly recommends to use TLS encryption. This is also helps to avoid certificate warnings in the browser.

Configure the TLS Encryption¶

Get a TLS certificate in PEM format, as written in the Requirements.
Replace the following file containing the private key:
```
/opt/seal/etc/tls/key.pem
```
Replace the following file containing the public certificate:
```
/opt/seal/etc/tls/cert.pem
```

Set the path to the directory containing the certificate files.

env:
  service:
    any:
      tag:
        any:
          TLS_DIR: '/opt/seal/etc/tls'

Hint

Make sure the path doesn't end with a slash.

If self-signed certificates are used, the following key has to be set to 0:
```
env:
  service:
    any:
      tag:
        any:
          NODE_TLS_REJECT_UNAUTHORIZED: '0'
```
Caution - security gap

Setting NODE_TLS_REJECT_UNAUTHORIZED to 0 in a productive system is a serious security gap! Only use it for test purposes!

Hint - certificate

Unless NODE_TLS_REJECT_UNAUTHORIZED is set to 0 or specified at all, the certificate has to contain the correct IP address or hostname since this is used for the authorization check.
Restart SEAL Operator.
```
operator service start
```

Specify a CA Certificate (Unnecessary in Most Cases)¶

If a CA certificate has been specified, the SEAL Operator services require a client certificate from each client. That means from all other SEAL Operator services and the web browser. It requires corresponding properties of the certificate and is a high effort. A complete explanation of how to use client certificates is beyond the scope of this documentation.

For the rare other cases, the CA certificate for the SEAL Operator services needs to be saved to the following file:

/opt/seal/etc/tls/ca.pem

Next Step¶

Continue with: Secure Consul