@ggross and @jrosenkrans , I am finally able to implement this. All I had to do was add the metro-keystore only on the containerized instance of Ignition and create an Outgoing Connection to the EAM Gateway. And I had to approve the certificates only the 1st time of connection and all other subsequent connections from different container IDs were automatically approved.
Thank you so much.
Solution:
Create SelfSigned rootCA certificate:
- First we would need a private key to generate the rootCA certificate:
openssl genrsa -out rootCAkey.pem 4096 - Next we will create one custom openssl configuration file required to generate the Certificate Signing request and add X.509 extensions to our RootCA certificate:
#cat openssl.cnf
`[ req ]
distinguished_name = req_distinguished_name
policy = policy_match
x509_extensions = v3_ca
For the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name) ## Print this message
stateOrProvinceName_default = California ## This is the default value
localityName = Locality Name (eg, city) ## Print this message
localityName_default = Folsom ## This is the default value
0.organizationName = Organization Name (eg, company) ## Print this message
0.organizationName_default = Inductive Automation ## This is the default value
organizationalUnitName = Organizational Unit Name (eg, section) ## Print this message
organizationalUnitName_default = QA ## This is the default value
commonName = Common Name (eg, your name or your server hostname) ## Print this message
commonName_max = 64
v3_ca
[ v3_ca ]
authorityKeyIdentifier = keyid, issuer
basicConstraints = critical,CA:true
extendedKeyUsage = serverAuth, clientAuth
keyUsage = keyCertSign,cRLSign
subjectAltName = @alt_section
subjectKeyIdentifier = hash
[alt_section]
email = your-email.com`
3.Let us go ahead and create our RootCA certificate
openssl req -new -x509 -days 3650 -config openssl.cnf -key rootCAkey.pem -out rootCA.pem
1. Create a new keystore
`keytool -genkey -alias metro-key -keyalg RSA -keysize 2048 -keystore metro-keystore`
2. Create a new Certificate Signing Request using the above keystore:
`keytool -certreq -alias metro-key -file metro-keystore.csr -keystore metro-keystore`
3. Sign the certificate:
`openssl x509 -req -in metro-keystore.csr -CA rootCA.pem -CAkey rootCAkey.pem -CAcreateserial -out WCNP.crt -days 500 -sha256 -extfile openssl.cnf`
Note: This openssl.cnf file is different from the root certificate.This openssl.cnf file should have the following contents
`keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = IP:127.0.0.1, DNS:ignition-wcnp-lab, URI:uri://*/metro
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer`
4. Import your root public key for your CA:
`keytool -import -trustcacerts -alias root -file rootCA.pem -keystore metro-keystore`
5. Import signed certificate:
`keytool -import -trustcacerts -alias metro-key -file WCNP.crt -keystore metro-keystore`
Inspect the newly created keystore using the Keystore Explorer tool to verify.
Since I am using a derived image, these were my configuration for the Dockerfile
`
COPY ./backup.gwbk /usr/local/bin/ignition/backup.gwbk
COPY ./register-module.sh /usr/local/bin/ignition/register-module.sh
COPY ./Walmart-SSO-signed.modl /usr/local/bin/ignition/user-lib/modules/Walmart-SSO-signed.modl
COPY ./Ignition-Kafka-signed.modl /usr/local/bin/ignition/user-lib/modules/Ignition-Kafka-signed.modl
# COPY ./ssl.pfx /usr/local/bin/ignition/data/local/ssl.pfx
COPY ./rootCA.pem /usr/local/bin/ignition/data/gateway-network/client/security/pki/trusted/certs/rootCA.pem
COPY ./metro-keystore /usr/local/bin/ignition/webserver/metro-keystore
RUN chmod +x register-module.sh && ./register-module.sh
ENV IGNITION_UID=999
ENV IGNITION_GID=999
RUN chown -R ${IGNITION_UID}:${IGNITION_GID} ${IGNITION_INSTALL_LOCATION:?expected in environment}
USER 999
ENTRYPOINT ["docker-entrypoint.sh","-r","/usr/local/bin/ignition/backup.gwbk","-n","ignition-wcnp-lab", "-m","16384","--","-Dmetro.keystore.password=metroPassword","-Dmetro.keystore.alias=metro-key"]
`
Hope this helps.
Thank you IA Team for all your support