Enable protocol security in Razor with a custom certificate authority in Puppet Enterprise

When you're using PE and install Razor on a Puppet-managed node, protocol security using HTTPS and TLS/SSL is enabled by default. However, if you want to use your own CA certificate or you're using Razor in an environment that's not Puppet-managed, you must secure communication between the Razor server and client.

Version and installation information

PE version: 3.7 to 2019.2
OS: Any Unix

Solution

Complete the following steps to configure communication ports for the Razor server and to configure communication between the Razor server and client.

Configure communication ports for the Razor server

1. Configure HTTP communication on port 8150 and HTTPS communication on port 8151.

2. In the config.yaml file, located on your master at /etc/puppetlabs/razor-server/config.yaml, make sure that secure_api is set to true.

3. Use your own .jks or .ks file or self-sign a certificate.

   You might already have a .jks or .ks file that you are using for communication between the Razor server and client. If not, create a self-signed certificate file called keystore.jks in your current working directory by running the Java keytool command on your master:

   keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -keypass password -validity 3600 -keysize 2048 -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, S=Unknown, C=Unknown"

   Note: The default password for keytool is password.

4. Configure Torquebox by adding a web connector in the standalone.xml.erb file:

   The location of the standalone.xml.erb file varies. On the puppet master, use the command find / -name standalone.xml.erb to locate it. Edit the file to add the connector as follows:

   <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="https" key-alias="<%= @java_ssl_alias %>" password-file="<PATH_TO_A_PLAINTEXT_PASSWORD_FILE>"