Every client/server communication needs to be secured through a protocol with Secure Socket Layer/Transport Layer Security . The predecessor of Transport Layer Security (TLS) is Secure Socket Layer (SSL), reason for TLS existence is due to SSL’s vulnerability towards an attack and SSL differs from TLS in cryptographic standards over communication between applications.
A secured communication between apps relies on a certificate(cert) distributed by a Certificate Authority(CA) that is mutually agreed by both client & server. CA is an entity that issues digital certificates that has x.509 standard (uses Public key cryptography)and few leading CA providers are Comodo, GoDaddy, Global Sign & Symantec.
This article will focus on how to install certs into your docker image that has RESTful API with it. We can categorize the article into three sections that explains key concepts on security and how to achieve it.
Most of the certificate formats are with suffix -.pem, .cer, .crt, .key . Clients communicating (browsers/client systems) to Server will hold *.pem (Privacy Enhanced Mail) or a .cer (file extension of a SSL certificate) for establishing a secured connection.
Common Format of a *.pem, *.cer, *.crt
RSA (Rivest–Shamir–Adleman) algorithm is used to encrypt and decrypt messages in communication where one key is kept public and the other as private which defines the concept of public key cryptography aka asymmetric encryption. The most common attacks like MITMA (Man In The Middle Attack) can be prevented by using TLS. Registration Authority(RA) helps in authenticating the cert from Public Key Infrastructure (PKI) available and it acts as middlemen for CA.
In brief the overall communication to make a secured connection between two resource through one way authentication is summarized below.
It would work the same way for mutual authentication where client and server both provide their public keys and decrypt their messages with its own private keys available at their end.
We can see a demo of how to achieve one way authentication in a docker container that has Golang RESTful API. Refer to article Golang & Docker — Microservices (RESTful API) for Enterprise Model illustrating the steps to create Restful API and wrapping it up into a Docker image.
A docker image is composed of multiple resources that will make a container to serve a request on its own in cloud and it is admin’s responsibility to install relevant certs in root directory inside the image to make it secured. Also instruct in your code to consider certs from root when making call to other secured API’s.
Image with certs installed
In alpine we have a package utility called ca-certificates which comes with its preinstalled certs for Mozilla browser. Also you need to update the bundle with your third party certs required for TLS and this can be done by specifying an update certificate command as below in Dockerfile.
FROM alpine:latest
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./mycert.crt /usr/local/share/ca-certificates/mycert.crt
RUN update-ca-certificates
Add the following commands to your Docker file that explains the below steps.
The above steps will add your third party cert into your docker image, once the image is built and container is up Golang library will detect the cert (x.509 standard) and provides appropriate public key to make a secured connection with calling API’s