Every client/server communication needs to be secured through a protocol with Secure Socket Layer/Transport Layer Security . The predecessor of Transport Layer Security (TLS) is Secure Socket Layer (SSL), reason for TLS existence is due to SSL’s vulnerability towards an attack and SSL differs from TLS in cryptographic standards over communication between applications.
A secured communication between apps relies on a certificate(cert) distributed by a Certificate Authority(CA) that is mutually agreed by both client & server. CA is an entity that issues digital certificates that has x.509 standard (uses Public key cryptography)and few leading CA providers are Comodo, GoDaddy, Global Sign & Symantec.
This article will focus on how to install certs into your docker image that has RESTful API with it. We can categorize the article into three sections that explains key concepts on security and how to achieve it.
- Cert formats
- Client/Server Communication & One way Authentication
- Adding Cert to docker image
Cert formats
Most of the certificate formats are with suffix -.pem, .cer, .crt, .key . Clients communicating (browsers/client systems) to Server will hold *.pem (Privacy Enhanced Mail) or a .cer (file extension of a SSL certificate) for establishing a secured connection.
Common Format of a *.pem, *.cer, *.crt
RSA (Rivest–Shamir–Adleman) algorithm is used to encrypt and decrypt messages in communication where one key is kept public and the other as private which defines the concept of public key cryptography aka asymmetric encryption. The most common attacks like MITMA (Man In The Middle Attack) can be prevented by using TLS. Registration Authority(RA) helps in authenticating the cert from Public Key Infrastructure (PKI) available and it acts as middlemen for CA.
Client/Server Communication & One way Authentication
In brief the overall communication to make a secured connection between two resource through one way authentication is summarized below.
- Client request for a protected resource from server(RESTful API Call)
- Client presents the information encrypted with its public key to the server
- Server evaluates the request with its private key (available only on server side) and responds back based on the requested resource
It would work the same way for mutual authentication where client and server both provide their public keys and decrypt their messages with its own private keys available at their end.
Adding Cert to docker image
We can see a demo of how to achieve one way authentication in a docker container that has Golang RESTful API. Refer to article Golang & Docker — Microservices (RESTful API) for Enterprise Model illustrating the steps to create Restful API and wrapping it up into a Docker image.
A docker image is composed of multiple resources that will make a container to serve a request on its own in cloud and it is admin’s responsibility to install relevant certs in root directory inside the image to make it secured. Also instruct in your code to consider certs from root when making call to other secured API’s.
Image with certs installed
In alpine we have a package utility called ca-certificates which comes with its preinstalled certs for Mozilla browser. Also you need to update the bundle with your third party certs required for TLS and this can be done by specifying an update certificate command as below in Dockerfile.
FROM alpine:latest
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./mycert.crt /usr/local/share/ca-certificates/mycert.crt
RUN update-ca-certificates
Add the following commands to your Docker file that explains the below steps.
- Pull the alpine image from docker registry
- Install ca-certificates bundle inside the docker image and remove the temp folder
- Copy certificate from your local machine to desired folder inside the image to be built.
- Run the command update-ca-certificates to update new cert into corresponding folder
The above steps will add your third party cert into your docker image, once the image is built and container is up Golang library will detect the cert (x.509 standard) and provides appropriate public key to make a secured connection with calling API’s