Deploying H2 Docker versions quickly with TLS / SSL

This post adds to my previous post: Deploying H2 Docker versions quickly

 

In addition to configuring the basic Docker Images and Containers, it's also possible to deploy them with a TLS / SSL certificate and access the instances via HTTPS protocol.

 

For this a valid certificate is required inside a .jks keystore. I'm using a self-signed certificate, but commercial ones are even better! The certificate must be in the name of the machine which runs Docker and which is accessed by the users via browser. In my case this is "mne-docker". The password for the keystore and the private key must be the same - this is a Tomcat limitation. In my case it's super secret and "Password123456".

 

I have the following directory structure on my Operating System

 

• /home/ts/docker/
• certificates
• mne-docker.jks
• twx.8.2.x.h2
• Dockerfile
• settings
• platform-settings.json
• <license_file>
• storage
• Thingworx.war

 

The Recipe File

 

In the Recipe File I make sure that I create a new Connector on port 8443, removing the old one on port 8080.

I do this by just replacing via the sed command - also introducing options for content compression.

I'm only replacing the first line of the xml node as it holds all the information I need to change.

 

Changes to the original version I posted are in green

 

FROM tomcat:latest
MAINTAINER mneumann@ptc.com
	
LABEL version = "8.2.0"
LABEL database = "H2"
	
RUN mkdir -p /cert
RUN mkdir -p /ThingworxPlatform
RUN mkdir -p /ThingworxStorage
RUN mkdir -p /ThingworxBackupStorage
	
ENV LANG=C.UTF-8
ENV JAVA_OPTS="-server -d64 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Dfile.encoding=UTF-8 -Duser.timezone=GMT -XX:+UseNUMA -XX:+UseG1GC -Djava.library.path=/usr/local/tomcat/webapps/Thingworx/WEB-INF/extensions
	
RUN sed -i 's/<Connector port="8080" protocol="HTTP\/1.1"/<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" enableLookups="false" keystoreFile="\/cert\/mne-docker.jks" keystorePass="Password123456" ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" compression="on" compressableMimeType="text\/html,text\/xml,text\/plain,text\/css,text\/javascript,application\/javascript,application\/json"/g' /usr/local/tomcat/conf/server.xml
	
COPY Thingworx.war /usr/local/tomcat/webapps
	
VOLUME ["/ThingworxPlatform", "/ThingworxStorage", "/cert"]
	
EXPOSE 8443

 

Note that I also map the /cert directory to the outside, so all of my Containers can access the same certificate. I will access it read-only.

 

Deploying

 

 

sudo docker build -t twx.8.2.x.h2 .

sudo docker run -d --name=twx.8.2.x.h2 -p 88:8443 -v /home/ts/docker/twx.8.2.x.h2/storage:/ThingworxStorage -v /home/ts/docker/twx.8.2.x.h2/settings:/ThingworxPlatform -v /home/ts/docker/certificates:/cert:ro twx.8.2.x.h2

 

Mapping to the 8443 port ensures to only allow HTTPS connections.

The :ro in the directory mapping ensures read-only access.

 

What next

 

Go ahead! Only secure stuff is kind of secure 😉

For more information on how to import the certificate into a the Windows Certificate Manager so browsers recognize it, see also the Trusting the Root CA chapter in Trust & Encryption - Hands On