Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

US-624029 : SSL and NIST SP 800-53 and NIST SP 800-131 support for Clustering Service #794

Merged
merged 13 commits into from
Dec 9, 2024
Merged

US-624029 : SSL and NIST SP 800-53 and NIST SP 800-131 support for Clustering Service #794

merged 13 commits into from
Dec 9, 2024

Conversation

vnihal72
Copy link
Contributor

@vnihal72 vnihal72 commented Aug 8, 2024

US-624029 : SSL and NIST SP 800-53 and NIST SP 800-131 support Clustering Service

@vnihal72 vnihal72 requested a review from punda1 August 9, 2024 16:05
Saurabh-16
Saurabh-16 reviewed Aug 12, 2024
View reviewed changes
charts/pega/Makefile
@@ -0,0 +1,31 @@
default: secrets
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When is this file invoked? Can this file be put within HZ subcharts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file will be invoked manually, please refer: https://github.com/pegasystems/pega-helm-charts/pull/794/files#diff-346646b74f5caaa4e6ffacf9785c6718623b85624c4ad9bd81b6b4496b4d4eb2R1282
This file will generate common certificate for clustering-service and platform, so we are putting it in pega chart

Saurabh-16
Saurabh-16 reviewed Aug 12, 2024
View reviewed changes
charts/pega/templates/_pega-deployment.tpl
@@ -289,6 +295,10 @@ spec:
- name: {{ template "pegaKerberosConfig" }}-config
mountPath: "/opt/pega/kerberos"
{{- end }}
{{- if (.root.Values.hazelcast.encryption.enabled) }}
- name: hz-encryption-secrets
mountPath: "/opt/hazelcast/certs"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this path is available in HZ image.
/opt/hazelcast/certs

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes @Saurabh-16

@kingakowalska1
Copy link
Contributor

Hi Nihal,

Here are my doc suggestions regarding the PR:

In charts/pega/README.md:

Line 1253:

hazelcast.encryption.enabled | Set to true if SSL connection is required; otherwise leave set to false. Note: Set this value to false for Pega platform versions below 24.2; if not set the installation will fail, see this section

To:

hazelcast.encryption.enabled | Set to true if you require SSL connection in your Clustering Service. Note: Highly secure encryption mode is only available in Pega Platform '24.2 and later. Set this value to false for Pega Platform release '24.1 and earlier or the installation will fail.

Line 1282:

(Optional) Enabling encryption of traffic between Pega and ClusteringService

Run the make file in charts/pega/Makefile when encryption or HighlySecureCryptoMode is enabled to generate the certificates and mount it to the Hazelcast and Pega pods before Helm Install.

Parameter Description
NAMESPACE Namespace where Pega and Hazelcast is going to be deployed.
CLUSTERING_SERVICE_IMAGE Reference the platform/clustering-service Docker image that you downloaded and pushed to your Docker registry that your deployment can access.
ENC_KEYSTORE_PASSWORD Key store password.
ENC_TRUSTSTORE_PASSWORD Trust store password.
HIGHLY_SECURE_CRYPTO_MODE_ENABLED Enable it for complying with NIST SP 800-53 and NIST SP 800-131.

To:

(Optional) Enabling highly secure encryption of traffic between Pega Platform and the Clustering Service

Before Helm install, run the makefile in charts/pega/Makefile with the following parameters when you enable encryption or HighlySecureCryptoMode to generate the certificates and mount them to the Clustering Service and Pega Platform pods.

Parameter Description
NAMESPACE Namespace where you deploy Pega Platform and the Clustering Service.
CLUSTERING_SERVICE_IMAGE Reference the platform/clustering-service Docker image that you downloaded and pushed to your Docker registry that your deployment can access.
ENC_KEYSTORE_PASSWORD Keystore password.
ENC_TRUSTSTORE_PASSWORD Truststore password.
HIGHLY_SECURE_CRYPTO_MODE_ENABLED Set to true to enable the highly secure encryption mode to comply with NIST SP 800-53 and NIST SP 800-131.

And across the values.yaml files:

Setting below to true will enforce the SSL communication between Hazelcast and Pega Infinity.

To

Set to true to enforce SSL communication between the Clustering Service and Pega Platform.

And:

Enable it for complying with NIST SP 800-53 and NIST SP 800-131

To:

Set to true to comply with NIST SP 800-53 and NIST SP 800-131.

Thanks!
Kinga

@taz-pega-work
Copy link
Contributor

taz-pega-work commented Aug 12, 2024 via email

@alemax22
Copy link
Contributor

This is an enhancement that we are really interested in, but one of our security team requirement is to periodically change the encryption certificates (e.g. every 30 days). Will be possible to give the certificates by means of a secret instead of running a using some certificated created during the deployment phase? The ideal scenario will be to change the certificates, without requiring a redeploy of the entire cluster

@Pushpendrak18
Copy link
Contributor

Hi Nihal,

Here are my doc suggestions regarding the PR:

In charts/pega/README.md:

Line 1253:

hazelcast.encryption.enabled | Set to true if SSL connection is required; otherwise leave set to false. Note: Set this value to false for Pega platform versions below 24.2; if not set the installation will fail, see this section

To:

hazelcast.encryption.enabled | Set to true if you require SSL connection in your Clustering Service. Note: Highly secure encryption mode is only available in Pega Platform '24.2 and later. Set this value to false for Pega Platform release '24.1 and earlier or the installation will fail.

Line 1282:

(Optional) Enabling encryption of traffic between Pega and ClusteringService

Run the make file in charts/pega/Makefile when encryption or HighlySecureCryptoMode is enabled to generate the certificates and mount it to the Hazelcast and Pega pods before Helm Install.

Parameter Description
NAMESPACE Namespace where Pega and Hazelcast is going to be deployed.
CLUSTERING_SERVICE_IMAGE Reference the platform/clustering-service Docker image that you downloaded and pushed to your Docker registry that your deployment can access.
ENC_KEYSTORE_PASSWORD Key store password.
ENC_TRUSTSTORE_PASSWORD Trust store password.
HIGHLY_SECURE_CRYPTO_MODE_ENABLED Enable it for complying with NIST SP 800-53 and NIST SP 800-131.
To:

(Optional) Enabling highly secure encryption of traffic between Pega Platform and the Clustering Service

Before Helm install, run the makefile in charts/pega/Makefile with the following parameters when you enable encryption or HighlySecureCryptoMode to generate the certificates and mount them to the Clustering Service and Pega Platform pods.

Parameter Description
NAMESPACE Namespace where you deploy Pega Platform and the Clustering Service.
CLUSTERING_SERVICE_IMAGE Reference the platform/clustering-service Docker image that you downloaded and pushed to your Docker registry that your deployment can access.
ENC_KEYSTORE_PASSWORD Keystore password.
ENC_TRUSTSTORE_PASSWORD Truststore password.
HIGHLY_SECURE_CRYPTO_MODE_ENABLED Set to true to enable the highly secure encryption mode to comply with NIST SP 800-53 and NIST SP 800-131.
And across the values.yaml files:

Setting below to true will enforce the SSL communication between Hazelcast and Pega Infinity.

To

Set to true to enforce SSL communication between the Clustering Service and Pega Platform.

And:

Enable it for complying with NIST SP 800-53 and NIST SP 800-131

To:

Set to true to comply with NIST SP 800-53 and NIST SP 800-131.

Thanks! Kinga

Hi @kingakowalska1 , We have incorporated the suggested changes, please review/approve PR.

@kingakowalska1
Copy link
Contributor

Hi,
Since I reviewed the PR back in August, the PO driving the initiative requested that we keep a single name for this encryption enhancement, so the only comment I have is to replace every mention of "Highly secure encryption mode" with "Highly Secure Crypto Mode" in the readme.
Thanks!
Kinga

kingakowalska1
kingakowalska1 approved these changes Nov 19, 2024
View reviewed changes
Copy link
Contributor

@kingakowalska1 kingakowalska1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you for making the changes!

@Saurabh-16 Saurabh-16 merged commit 9788a67 into pegasystems:master Dec 9, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pushpendrak18 Pushpendrak18 Pushpendrak18 approved these changes

@kishorv10 kishorv10 kishorv10 approved these changes

@Saurabh-16 Saurabh-16 Saurabh-16 approved these changes

@hsomu hsomu hsomu approved these changes

@punda1 punda1 punda1 approved these changes

@kingakowalska1 kingakowalska1 kingakowalska1 approved these changes

@taz-pega-work taz-pega-work Awaiting requested review from taz-pega-work taz-pega-work is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@vnihal72 @kingakowalska1 @taz-pega-work @alemax22 @Pushpendrak18 @kishorv10 @Saurabh-16 @hsomu @punda1