docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add client certificate authentication and changes to related pages 

Signed-off-by: Maria Bermudez <bermudez.mt@gmail.com>

Signed-off-by: Maria Bermudez <bermudez.mt@gmail.com>
This commit is contained in:
Maria Bermudez 2019-05-13 00:19:35 -07:00
parent 1f0daf1bfb
commit 798e7c8bde
10 changed files with 317 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_data/toc.yaml
View File

@ -1327,6 +1327,8 @@ manuals:
title: Environment variables
- path: /ee/end-to-end-install/
title: Install components individually
- path: /ee/enable-client-certificate-authentication/
title: Enable client certificate authentication with your PKI
- sectiontitle: Back up Docker Enterprise
section:
- path: /ee/admin/backup/

41
ee/dtr/admin/configure/enable-single-sign-on.md
View File

@ -4,42 +4,29 @@ description: Learn how to set up single sign-on between UCP and DTR, so that you
keywords: dtr, login, sso
---
By default, users are shared between UCP and DTR, but you have to authenticate
separately on the web UI of both applications.
Users are shared between UCP and DTR by default, but the applications have separate browser-based interfaces which require authentication.
You can configure DTR to have single sign-on (SSO) with UCP, so that users only
have to authenticate once.
To only authenticate once, you can configure DTR to have single sign-on (SSO) with UCP.
> **Note**: After configuring single sign-on with DTR, users accessing DTR via
> `docker login` should create an [access token](/ee/dtr/user/access-tokens/) and use it to authenticate.
## At installation time
## At install time
When installing DTR, use the `docker/dtr install --dtr-external-url <url>`
option to enable SSO. When accessing the DTR web UI, users are redirected to the
UCP login page, and once they are authenticated, they're redirected to the URL
you provided to `--dtr-external-url`.
When [installing DTR](/reference/dtr/2.7/install/), pass the `--dtr-external-url <url>`
option to enable SSO. This makes it so that when you access DTR's web interface, you are redirected to the UCP login page for authentication. Upon successfully logging in, you are then redirected to your specified DTR external URL during installation.
Use the domain name of DTR, or the domain name of a load balancer, if you're
using one, to load-balance requests across multiple DTR replicas.
[Specify the Fully Qualified Domain Name (FQDN)](/use-your-own-tls-certificates/) of your DTR, or a load balancer, to load-balance requests across multiple DTR replicas.
## After install
## Post-installation
In your browser, navigate to the DTR web UI, and choose **Settings**. In the
**General** tab, scroll to **Domain & proxies**.
Update the **Load balancer / public address** field to the url where users
should be redirected once they are logged in.
Use the domain name of DTR, or the domain name of a load balancer, if you're
using one, to load-balance requests across multiple DTR replicas.
Then enable **Use single sign-on**.
![](../../images/enable-sso-1.png){: .with-border}
Once you save, users are redirected to UCP for logging in, and redirected back to
DTR once they are authenticated.
1. Navigate to `https://<dtr-url>` and log in with your credentials.
2. Select **System** from the left navigation pane, and scroll down to **Domain & Proxies**.
3. Update the **Load balancer / Public Address** field with the external URL where users
should be redirected once they are logged in. Click **Save** to apply your changes.
4. Toggle **Single Sign-on** to automatically redirect users to UCP for logging in.
## Where to go next
- [Use your own TLS certificates](use-your-own-tls-certificates.md)
- [Use your own TLS certificates](use-your-own-tls-certificates)
- [Enable authentication using client certificates](/ee/enable-authentication-via-client-certs/)

52
ee/dtr/admin/configure/license-your-installation.md
View File

@ -4,35 +4,53 @@ description: Learn how to license your Docker Trusted Registry installation.
keywords: dtr, install, license
---
By default, you don't need to license your Docker Trusted Registry. When
installing DTR, it automatically starts using the same license file used on
your Docker Universal Control Plane cluster.
By default, Docker Trusted Registry (DTR) automatically uses the same license file applied to
your Universal Control Plane (UCP). In the following scenarios, you need to
manually apply a license to your DTR:
However, there are some situations when you have to manually license your
DTR installation:
* When upgrading to a new major version,
* When your current license expires.
* Major version upgrade
* License expiration
## Download your license
Go to [Docker Hub](https://hub.docker.com/editions/enterprise/docker-ee-trial)
to download a trial license.
Visit Docker Hub's [Enterprise Trial page](https://hub.docker.com/editions/enterprise/docker-ee-trial) to start your one-month trial. After signing up, you should receive a confirmation email with a link to your subscription page. You can find your **License Key** in the **Resources** section of the Docker Enterprise Setup Instructions page.
![](../../images/license-1.png){: .with-border}
![](/ee/dtr/images/license-1.png){: .with-border}
Click "License Key" to download your license.
## License your installation
Once you've downloaded the license file, you can apply it to your DTR
installation. Navigate to the **DTR web UI**, and then go to the **Settings
page**.
After downloading your license key, navigate to `https://<dtr-url>` and log in with your credentials.
Select **System** from the left navigation pane, and click *Apply new license* to upload your license
key.
![](../../images/license-2.png){: .with-border}
![](/ee/dtr/images/license-2.png){: .with-border}
Click the **Apply new license** button, and upload your new license file.
## View licensing information
You can send a `GET` request to `api/v0/admin/settings/license` to view more details on the license applied to your DTR. Use your DTR Fully Qualified Domain Name (FQDN) as the base URL for your API request.
### Example API request
```bash
curl -u docker:$TOKEN -X GET "https://34.219.67.189/api/v0/admin/settings/license -H "accept: application/json"
```
### Example API response
```json
{
"is_valid": true,
"auto_refresh": false,
"scanning_enabled": true,
"expiration": "2019-07-09T22:26:01Z",
"key_id": "2SDaULA3xBvQ8Hrp-05-7_JPrWdthGINT0ZI3ArdhAK6",
"tier": "Advanced",
"type": "Offline"
}
```
## Where to go next
- [Enable single sign-on](enable-single-sign-on.md)
- [Use your own TLS certificates](use-your-own-tls-certificates)
- [Enable single sign-on](enable-single-sign-on)

49
ee/dtr/admin/configure/use-your-own-tls-certificates.md
View File

@ -1,44 +1,45 @@
---
title: Use your own TLS certificates
description: Learn how to configure Docker Trusted Registry with your own TLS certificates.
keywords: dtr, tls
keywords: dtr, tls, certificates, security
---
By default the DTR services are exposed using HTTPS, to ensure all
communications between clients and DTR is encrypted. Since DTR
replicas use self-signed certificates for this, when a client accesses
DTR, their browsers won't trust this certificate, so the browser displays a
warning message.
Docker Trusted Registry (DTR) services are exposed using HTTPS by default. This ensures encrypted communications between clients and your trusted registry. If you do not pass a PEM-encoded TLS certificate during installation, DTR will generate a [self-signed certificate](https://en.wikipedia.org/wiki/Self-signed_certificate). This leads to an insecure site warning when accessing DTR through a browser. Additionally, DTR includes an [HSTS (HTTP Strict-Transport-Security) header](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) in all API responses which can further lead to your browser refusing to load DTR's web interface.
You can configure DTR to use your own certificates, so that it is automatically
trusted by your users' browser and client tools.
You can configure DTR to use your own TLS certificates, so that it is automatically
trusted by your users' browser and client tools. As of v2.7, you can also [enable user authentication via client certificates](/ee/enable-authentication-via-client-certs/) provided by your organization's public key infrastructure (PKI).
## Replace the server certificates
To configure DTR to use your own certificates and keys, go to the
**DTR web UI**, navigate to the **Settings** page, and scroll down to the
**Domain** section.
You can upload your own TLS certificates and keys using the web interface, or pass them as CLI options when installing or reconfiguring your DTR instance.
![](../../images/use-your-certificates-1.png){: .with-border}
### Web interface
Navigate to `https://<dtr-url>` and log in with your credentials. Select **System** from the left navigation pane, and scroll down to **Domain & Proxies**.
Set the DTR domain name and upload the certificates and key:
![](/ee/dtr/images/use-your-certificates-1.png){: .with-border}
* Load balancer/public address, is the domain name clients will use to access DTR.
* TLS certificate, is the server certificate and any intermediate CA public
certificates. This certificate needs to be valid for the DTR public address,
Enter your DTR domain name and upload or copy and paste the certificate details:
* ***Load balancer/public address.*** The domain name clients will use to access DTR.
* ***TLS private key.*** The server private key.
* ***TLS certificate chain.*** The server certificate and any intermediate public
certificates from your certificate authority (CA). This certificate needs to be valid for the DTR public address,
and have SANs for all addresses used to reach the DTR replicas, including load
balancers.
* TLS private key is the server private key.
* TLS CA is the root CA public certificate.
* ***TLS CA.*** The root CA public certificate.
Finally, click **Save** for the changes to take effect.
Click **Save** to apply your changes.
If you're using certificates issued by a globally trusted certificate authority,
If you've added certificates issued by a globally trusted CA,
any web browser or client tool should now trust DTR. If you're using an internal
certificate authority, you'll need to configure your system to trust that
certificate authority.
CA, you will need to configure your system to trust that
CA.
### Command line interface
See [docker/dtr install](/reference/dtr/2.7/cli/install/) and [docker/dtr reconfigure](/reference/dtr/2.7/cli/reconfigure/) for TLS certificate options and usage.
## Where to go next
- [Set up external storage](external-storage/index.md)
- [Enable single sign-on](enable-single-sign-on)
- [Set up external storage](external-storage)

BIN
ee/dtr/images/license-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 166 KiB

After

Width:  |  Height:  |  Size: 75 KiB

BIN
ee/dtr/images/license-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 105 KiB

After

Width:  |  Height:  |  Size: 25 KiB

BIN
ee/dtr/images/use-your-certificates-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 117 KiB

After

Width:  |  Height:  |  Size: 125 KiB

232
ee/enable-client-certificate-authentication.md Normal file
View File

@ -0,0 +1,232 @@
---
title: Enable authentication using TLS client certificates
description: Learn how to enable user authentication via client certificates from your own public key infrastructure (PKI).
keywords: PKI, Client Certificates, Passwordless Authentication, Docker Enterprise
---
## Overview
In many organizations, authenticating to systems with a username and password combination is either restricted or outright prohibited. With Docker Enterprise 3.0, you can manage user authentication with your own public key infrastructure (PKI) using a pool of X.509 client certificates in lieu of usernames and passwords.
## Benefits
The following table outlines existing and added capabilities when using client certificates issued by an external certificate authority (CA) for authentication.
| Operation | Benefit |
| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [UCP browser authentication](#ucp--dtr-browser-authentication) | Previously, UCP client bundles enabled communication between a local Docker client and UCP without the need of a username and password. Importing your client certificates into the browser extends this capability to the UCP web UI. |
| [DTR browser authentication](#ucp--dtr-browser-authentication) | You can bypass the login page for the DTR web UI when you use TLS client certificates as a DTR authentication method. |
| [Image pulls and pushes to DTR](#image-pulls-and-pushes-to-dtr) | You can update Docker engine with a client certificate for image pulls and pushes to DTR without the need for `docker login`. |
| [Image signing](#image-signing) | You can use client certificates to sign images that you push to DTR. Depending on which you configure to talk to DTR, the certificate files need to be located in certain directories. Alternatively, you can enable system-wide trust of your custom root certificates. |
| [DTR API access](#dtr-api-access) | You can use TLS client certificates in lieu of your user credentials to access the DTR API. |
| [Notary CLI operations with DTR](#notary-cli-operations-with-dtr) | You can set your DTR as the remote trust server location and pass the certificate flags directly to the Notary CLI to access your DTR repositories. |
## Limitations
- The security of client certificates issued by your organization's PKI is outside of UCPs control. UCP administrators are responsible for instructing their users on how to authenticate via client certificates.
- Username and password authentication cannot be disabled.
- If client certificates have been configured, they will be used for
all `docker push` and `docker pull` operations for _all users_ of the same
machine.
- Docker Enterprise 3.0 does not check certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP) for revoked certificates.
## UCP / DTR browser authentication
The following instructions apply to UCP and DTR administrators. For non-admin users, contact your administrator for details on your PKI's client certificate configuration.
To bypass the browser login pages and hide the logout buttons for both UCP and DTR, follow the steps below.
1. Add your organization's root CA certificates [via the UCP web UI](/ee/ucp/admin/configure/use-your-own-tls-certificates/#configure-ucp-to-use-your-own-tls-certificates-and-keys) or [via the CLI installation command](https://success.docker.com/article/how-do-i-provide-an-externally-generated-security-certificate-during-the-ucp-command-line-installation).
For testing purposes, you can download an [admin client bundle](/ee/ucp/user-access/cli/#download-client-certificates) from UCP and [convert the client certificates to `pkcs12`](#convert-your-client-certificates-to-a-PKCS12-file)
1. Download UCP's `ca.pem` from `https://<ucp-url>/ca` either in the browser or via `curl`. When using `curl`, redirect the response output to a file.
`curl -sk https://<ucp-url>/ca -o ca.pem`
1. Enable client certificate authentication for DTR. If previously installed, reconfigure DTR with your UCP hostname's root CA certificate. This will be your organization's root certificate(s) appended to UCP's internal root CA certificates.
```
docker run --rm -it docker/dtr:2.7.0 reconfigure --debug --ucp-url \
<ucp-url> --ucp-username <ucp_admin_user> --ucp-password \ <ucp_admin_password> --enable-client-cert-auth
--client-cert-auth-ca "$(cat ca.pem)"
```
See [DTR installation](/reference/dtr/2.7/cli/install/) and [DTR reconfiguration](/reference/dtr/2.7/cli/reconfigure/) CLI reference pages for an explanation of the different options.
1. Import the PKCS12 file into [the browser](#pkcs12-file-browser-import) or [Keychain Access](https://www.digicert.com/ssl-support/p12-import-export-mac-mavericks-server.htm#import_certificate) if you're running macOS.
### Client certificate to PKCS12 file conversion
From the command line, switch to the directory of your client bundle and run the following command to convert the client bundle public and private key pair to a `.p12` file.
```bash
openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
```
Create with a simple password, you will be prompted for it when you import the certificate into the browser or Mac's Keychain Access.
### PKCS12 file browser import
Instructions on how to import a certificate into a web browser vary according to your platform, OS, preferred browser and browser version. As a general rule, refer to one of the following how-to articles:
- ***Firefox***:
https://www.sslsupportdesk.com/how-to-import-a-certificate-into-firefox/
- ***Chrome***:
https://www.comodo.com/support/products/authentication_certs/setup/win_chrome.php
- ***Internet Explorer***:
https://www.comodo.com/support/products/authentication_certs/setup/ie7.php
## Image pulls and pushes to DTR
For pulling and pushing images to your DTR (with client certificate authentication method enabled) without performing a `docker login`, do the following:
1. Create a directory for your DTR public address or FQDN (Fully Qualified Domain Name) within your operating system's TLS certificate directory.
1. As a [superuser](https://en.wikipedia.org/wiki/Superuser), copy the private key (`client.pem`) and certificate (`client.cert`) to the machine you are using for pulling and pushing to DTR without doing a `docker login`. Note that the filenames must match.
1. Obtain the CA certificate from your DTR server, `ca.crt` from `https://<dtrurl>/ca`, and copy `ca.crt` to your operating system's TLS certificate directory so that your machine's Docker Engine will trust DTR. For Linux, this is `/etc/docker/certs.d/<dtrurl>/`. On Docker for Mac, this is `/<home_directory>/certs.d/<dtr_fqdn>/`.
This is a convenient alternative to, for Ubuntu as an example, adding the DTR server certificate to `/etc/ca-certs` and running `update-ca-certificates`.
```curl
curl -k https://<dtr>/ca -o ca.crt
```
On Ubuntu
````bash
cp ca.crt /etc/ca-certs
```
1. Restart the Docker daemon for the changes to take effect. See [Configure your host](/ee/dtr/user/access-dtr/#configure-your-host) for different ways to restart the Docker daemon.
### Add your DTR server CA certificate to system level
You have the option to add your DTR server CA certificate to your system's trusted root certificate pool. This is MacOS Keychain or `/etc/ca-certificates/` on Ubuntu. Note that you will have to remove the certificate if your DTR public address changes.
### Reference guides
- [Docker Engine](https://docs.docker.com/engine/security/certificates/)
- Docker Desktop
- [Enterprise for Mac](/ee/desktop/user/mac-user/#add-tls-certificates)
- [Enterprise for Windows](/ee/desktop/user/windows-user/#adding-tls-certificates)
- [Community for Mac](/docker-for-mac/#add-tls-certificates)
- [Community for Windows](/docker-for-windows/faqs/#certificates)
Note: The above configuration means that Docker Engine will use the same client certificate for all pulls and pushes to DTR for ***all users*** of the same machine.
## Image signing
DTR includes [two containers](/ee/dtr/architecture/#dtr-internal-components), `<dtr-notary-server-<replica_id>` and `<dtr-notary-signer-<replica_id>`, which provide the required components for using Docker Content Trust (DCT) out of the box. In some cases, you need to additionally set an environment variable, `DOCKER_CONTENT_TRUST`, to `1`.
<table style="width:100%;">
<colgroup>
<col style="width: 35%" />
<col style="width: 30%" />
<col style="width: 35%" />
</colgroup>
<thead>
<tr class="night">
<th>Implementation</th>
<th>Component Pairing</th>
<th>Settings</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><a href="/engine/security/trust/content_trust/#signing-images-with-docker-content-trust">Sign with <code>docker trust sign</code></a></td>
<td><ul>
<li>Docker Engine - Enterprise 18.03 or higher</li>
<li>Docker Engine - Community 17.12 or higher, or</li>
</ul></td>
<td>Copy <code>ca.crt</code> from <code>https://&lt;dtr-external-url&gt;/ca</code> to:
<ul>
<li>Linux: <code>/etc/docker/certs.d/</code></li>
<li>Mac: <code>&lt;home_directory&gt;/.docker/certs.d/</code></li>
</ul></td>
</tr>
<tr class="even">
<td><a href="/engine/security/trust/content_trust/#runtime-enforcement-with-docker-content-trust">Enforce signature or hash verification on the Docker client</a></td>
<td><ul>
<li>Docker Engine - Enterprise 17.06 or higher</li>
<li>Docker Engine - Community 17.06 or higher</li>
</ul></td>
<td><code>export DOCKER_CONTENT_TRUST=1</code> to enable content trust on the Docker client. Copy <code>ca.crt</code> from <code>https:///ca</code> to <code>/&lt;home_directory&gt;/.docker/tls/</code> on Linux and macOS. <code>docker push</code> will sign your images.</td>
</tr>
<tr class="odd">
<td><a href="/ee/dtr/user/manage-images/sign-images/">Sign images that UCP can trust</a></td>
<td><ul>
<li>Docker Engine - Enterprise 17.06 or higher</li>
<li>Docker UCP 2.2 or higher</li>
</ul></td>
<td>Configure UCP to <a href="/ee/ucp/admin/configure/run-only-the-images-you-trust/#configure-ucp">run only signed images</a>. See <a href="/ee/dtr/user/manage-images/">Sign an image</a> for detailed steps.</td>
</tr>
</tbody>
</table>
## DTR API access
With `curl`, you can interact with the DTR
API by passing a public certificate and private key pair instead of
your DTR username and password/authentication token.
```bash
curl --cert cert.pem --key key.pem -X GET
"https://<dtr-external-url>/api/v0/repositories?pageSize=10&count=false" -H "accept:
application/json"
```
In the above example, `cert.pem` contains the public certificate and `key.pem`
contains the private key. For non-admin users, you can generate a client bundle from UCP or contact your administrator for your public and private key pair.
## Notary CLI operations with DTR
To use your PKI's TLS certificates to establish mutual trust between the Notary client and your trusted registry (DTR) using the Notary CLI, place your DTR's server CA and TLS client certificates in `<home_directory>/.docker/tls/<dtr-external-url>/` as `ca.crt`, `client.cert`, and `client.key`. Pass the FQDN or publicly accessible IP address of your registry along with the TLS client certificate options to the Notary client. To get started, see [Use the Notary client for advanced users](/notary/advanced_usage/).
## Troubleshooting tips
### DTR authentication via client Certificates
Hit your DTR's `basic_info` endpoint via `curl`:
```curl
curl --cert cert.pem --key key.pem -X GET "https://<dtr-external-url>/basic_info"
```
If successfully configured, you should see `TLSClientCertificate` listed as the `AuthnMethod` in the JSON response.
#### Example Response
```json
{
"CurrentVersion": "2.7.0",
"User": {
"name": "admin",
"id": "30f53dd2-763b-430d-bafb-dfa361279b9c",
"fullName": "",
"isOrg": false,
"isAdmin": true,
"isActive": true,
"isImported": false
},
"IsAdmin": true,
"AuthnMethod": "TLSClientCertificate"
}
```
### DTR as an insecure registry
Avoid adding DTR to Docker Engine's list of insecure registries as a workaround. This has the side effect of disabling the use of TLS certificates.
### x509 certificate errors
#### Example Error
```bash
Error response from daemon: Get https://35.165.223.150/v2/: x509: certificate is valid for 172.17.0.1, not 35.165.223.150
```
- On the web user interface, make sure to add the IP or the FQDN associated with your custom TLS certificate under **System > General > Domains & Proxies**.
- From the command line interface, [reconfigure DTR](/reference/dtr/2.7/cli/reconfigure/) with the `--dtr-external-url` option and the associated PEM files for your certificate.
### Intermediate certificates
For chain of trust which includes intermediate certificates, you may optionally add those certificates when installing or reconfiguring DTR with `--enable-client-cert-auth` and `--client-cert-auth-ca`.

13
ee/ucp/admin/configure/use-your-own-tls-certificates.md
View File

@ -39,21 +39,26 @@ navigate to the **Admin Settings** page.
Upload your certificates and keys:
* A `ca.pem` file with the root CA public certificate.
* A `ca.pem` file with the root CA (Certificate Authority) public certificate.
* A `cert.pem` file with the TLS certificate for your domain and any intermediate public
certificates, in this order.
* A `key.pem` file with TLS private key. Make sure it is not encrypted with a password.
Encrypted keys should have `ENCRYPTED` in the first line.
As of UCP v3.2, the **Certificates** page includes a new text field,
***Client CA***, that allows you to paste or upload one or more custom root CA certificates which the UCP Controller will use to
verify the authenticity of client certificates issued by your corporate or
trusted third-party CAs. Note that your custom root certificates will be appended to UCP's internal root CA certificates.
Finally, click **Save** for the changes to take effect.
After replacing the TLS certificates, your users won't be able to authenticate
with their old client certificate bundles. Ask your users to go to the UCP
After replacing the TLS certificates, your users will not be able to authenticate
with their old client certificate bundles. Ask your users to access the UCP
web UI and [get new client certificate bundles](../../user-access/cli.md).
If you deployed Docker Trusted Registry, you'll also need to reconfigure it
to trust the new UCP TLS certificates.
[Learn how to configure DTR](/reference/dtr/2.6/cli/reconfigure.md).
[Learn how to configure DTR](/reference/dtr/2.7/cli/reconfigure.md).
## Where to go next

BIN
ee/ucp/images/use-externally-signed-certs-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 54 KiB