If you would like the Dashboard to run securely and support SSL/TLS internally, then a certificate must be provided at install time to enable HTTPS. Running securely is strongly recommended for production environments.
When internal SSL (https) mode is enabled, Dashboard handles the SSL by itself without external services (i.e. proxy, ingress, ...). Dashboard will also automatically redirect any http request to https, using the provided certificate.
Placing a certificate under the alias jetty into
cert/jetty.jks prior to installation will enable the
Dashboard to run in SSL mode.
To generate an SSL certificate, you may create a self-signed cert or source one from a commercial vendor. We have provided examples below for self-signed and and Let's Encrypt.
Keep your certificate password readily available, because you will be prompted for it during installation process.
Below is an example of generating a self-signed certificate using the Java keytool command:
shell>cd /opt/continuent/software/tungsten-dashboard-8.0.0-10shell>mkdir -p certshell>keytool -keysize 2048 -genkey -alias jetty -keyalg RSA -keystore cert/jetty.jks -storepass $DASHBOARD_KEYSTORE_PASSWORD -dname "CN=localhost, OU=Test, O=MyOrg, L=MyCity, ST=MyState, C=US" -ext "SAN=dns:localhost,ip:127.0.0.1"Generating 2048-bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days for: CN=localhost, OU=Test, O=MyOrg, L=MyCity, ST=MyState, C=US
Below is an example of converting an existing cert issued by Let's Encrypt using our provided tool letsencrypt2dashboard.pl, which calls the openssl and Java keytool commands:
shell>sudo ./letsencrypt2jetty.pl -d dashdev.continuent.comKeystore file's password: tungsten Creating `./cert/` >>> ACTION: Converting the Let's Encrypt source files to P12 format: SOURCE: /etc/letsencrypt/live/dashdev.continuent.com/fullchain.pem /etc/letsencrypt/live/dashdev.continuent.com/privkey.pem TARGET cert/jetty.p12 SUCCESS: Generated the P12 file 'cert/jetty.p12' >>> ACTION: Converting the P12 file to JKS format: SOURCE cert/jetty.p12 TARGET cert/jetty.jks Importing keystore cert/jetty.p12 to cert/jetty.jks... SUCCESS: Generated the internal jetty cert file 'cert/jetty.jks' shell>sudo chown -R dashboard: cert
Or:
shell>mkdir certshell>cp /etc/letsencrypt/live/dashdev.continuent.com/fullchain.pem cert/shell>sudo cp /etc/letsencrypt/live/dashdev.continuent.com/privkey.pem cert/shell>sudo chmod a+r cert/privkey.pemshell>./letsencrypt2jetty.pl -f cert/fullchain.pem -k cert/privkey.pemKeystore file's password:tungstenCreating `./cert/` >>> ACTION: Converting the Let's Encrypt source files to P12 format: SOURCE: ./fullchain.pem ./privkey.pem TARGET cert/jetty.p12 SUCCESS: Generated the P12 file 'cert/jetty.p12' >>> ACTION: Converting the P12 file to JKS format: SOURCE cert/jetty.p12 TARGET cert/jetty.jks Importing keystore cert/jetty.p12 to cert/jetty.jks... SUCCESS: Generated the internal jetty cert file 'cert/jetty.jks'
Below is an example of installing Tungsten Dashboard v8 using the install.pl
script without SSL/TLS Support:
shell>cd /opt/continuent/software/tungsten-dashboard-8.0.0-10shell>./install.pl -dUnique dashboard secret is not defined in .env file. Do you want to generate it? [y/N]:yDASHBOARD_SECRET=LpJFoQVHYnYoxOJCjCuLkV2ZzEvuQNkN generated and added to .env file. Please store this secret in a safe place. You will need it for future upgrades of the Dashboard. Please enter preferred admin user name:tungstenPlease enter a password for admin user:secretPlease enter the domain for your application without schema or port. Domain for your application [127.0.0.1]: Configure insecure port for http connections. Note: All connections to this port (http) will be redirected to https if it is enabled. Please enter preferred insecure dashboard backend port [4090]: The path is the part of the URL that comes after the domain. For example, if your application is hosted at http://example.com/dashboard, the path is dashboard. Please enter the path for your application [empty]: Configure https method. Internal delegates TLS logic to the dashboard server. If TLS is external, dashboard server only accepts http connections in the default port, it will not validate https. Please select preferred TLS / HTTPS method: 1) Internal (Dashboard is the SSL endpoint) 2) External (Dashboard is not the SSL endpoint) 3) None (no SSL, not recommended for Production deployments) Enter choice [1]:3Insecure mode selected. Dashboard browser will attempt to load resources over http. This is not recommended for production environments. Do you want to proceed? [y/N]:yLoading Tungsten Dashboard image... Loaded image: tungsten-dashboard:8.0.0 Starting docker-compose up... [+] Running 3/3 ✔ Volume "tungsten-dashboard_persist" Created 0.0s ✔ Container tungsten-dashboard-service-1 Healthy 5.6s ! service Published ports are discarded when using host network mode 0.0s Installation completed! Opening the Dashboard on browser. If it does not open automatically, please open using URL: http://127.0.0.1:4090 To uninstall current deployment, simply run 'docker-compose down' Remember to remove volumes either manually or by running 'docker-compose down -v'
Below is an example of installing Tungsten Dashboard v8 using the install.pl
script with SSL/TLS Support:
shell>cd /opt/continuent/software/tungsten-dashboard-8.0.0-10shell>./install.pl -dUnique dashboard secret is not defined in .env file. Do you want to generate it? [y/N]:yDASHBOARD_SECRET=bN99HmvK2lOvZ5RNkgQJp6RGMmpVSTC6 generated and added to .env file. Please store this secret in a safe place. You will need it for future upgrades of the Dashboard. Please enter preferred admin user name:tungstenPlease enter a password for admin user:secretPlease enter the domain for your application without schema or port. Domain for your application [127.0.0.1]:dashboard.example.comConfigure insecure port for http connections. All connections to this port (http) will be redirected to https. Please enter preferred insecure dashboard backend port [4090]: The path is the part of the URL that comes after the domain. For example, if your application is hosted at http://example.com/dashboard, the path is dashboard. Please enter the path for your application [empty]: Configure https method. Internal delegates TLS logic to the dashboard server. If TLS is external, dashboard server only accepts http connections in the default port, it will not validate https. Please select preferred TLS / HTTPS method: 1) Internal 2) External 3) None (not recommended) Enter choice [1]: Internal TLS selected. This requires a valid java keystore file with a certificate under alias "jetty". Add the keystore file ie. jetty.jks to the ./cert directory. Is the keystore file jetty.jks in the ./cert directory? [y/N]:yProvide application SSL port: [4091]: Provide the secret name in the docker-compose.yml file [dashboard_cert]: Keystore file's password:tungstenLoading Tungsten Dashboard image... 3abdd8a5e7a8: Loading layer [==================================================>] 29.72MB/29.72MB a81b5d0b5796: Loading layer [==================================================>] 22.95MB/22.95MB 5eb803431e96: Loading layer [==================================================>] 157.6MB/157.6MB 88f8cc5af356: Loading layer [==================================================>] 158B/158B dd4b98d123a3: Loading layer [==================================================>] 2.282kB/2.282kB d4cd2ada82fd: Loading layer [==================================================>] 117B/117B 5f70bf18a086: Loading layer [==================================================>] 32B/32B c175884b36b0: Loading layer [==================================================>] 47.39MB/47.39MB 73ecd4e84b34: Loading layer [==================================================>] 399B/399B Loaded image: tungsten-dashboard:8.0.0 Starting docker-compose up... [+] Running 3/3 ✔ Volume "tungsten-dashboard_persist" Created 0.0s ✔ Container tungsten-dashboard-service-1 Healthy 10.9s ! service Published ports are discarded when using host network mode 0.0s Installation completed! Please open the Dashboard using URL: https://dashboard.example.com:4091 To uninstall current deployment, simply run 'docker-compose down' Remember to remove volumes either manually or by running 'docker-compose down -v'
To uninstall Tungsten Dashboard, simply execute the following:
shell> docker-compose downor, to remove persistent volumes along with the uninstallation:
shell> docker-compose down -vWhen removing persistent volumes you loose the application state: application settings, application users, and connected clusters.