Visit Azul.com Support

Configuring Optimizer Hub SSL Authentication

Table of Contents
Need help?
Schedule a consultation with an Azul performance expert.
Contact Us

The recommended setup is to have a load balancer or service mesh in front of the Optimizer Hub service, see Installing Optimizer Hub > Load Balancing. This will then be used as the connection point for the JVMs to interact with Optimizer Hub and include the SSL configuration.

In cases where such a load balancer or service mesh is not available, for instance for development and evaluation, Optimizer Hub itself can be configured to run with or without SSL authentication. Of course, it is highly recommended that you run your production Optimizer Hub with SSL authentication.

SSL Configuration in Optimizer Hub

Follow these steps to configure the SSL configuration within the Optimizer Hub service.

  1. Create or use an existing SSL certificate. To enable SSL encryption of the communication between the JVM and Optimizer Hub, you need to provide a certificate and a corresponding private key in the pem format.

    Note
    		 The common name field in the certificate must match the name of the Optimizer Hub service as provided to client JVMs via the —XX:OptHubHost flag. Otherwise there may be issues when connecting.

  2. Enable SSL in your values-overrride.yaml file:

     
    ssl:
  enabled: true

  3. Add your certificate and private key. This can be done in several ways:

    1. The most secure way to add certificates is using a separate chain that manages your certificate. You can then point the deployment to a custom secret in the installation namespace. Such a secret needs to have keys named cert.pem and key.pem.

       
      ssl:
  secretName: "my-custom-secret"

    2. You can add the certificate and private keys directly to the values.yaml as values. This is the simplest way to run quick experiments in a controlled environment, especially when you’re installing from the Helm repository. We do not recommend this approach in production as it embeds private security credentials in a config file:

       
      ssl:
  value:
    cert: |-
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    key: |-
      -----BEGIN PRIVATE KEY-----
      ...
      -----END PRIVATE KEY-----

    3. If you downloaded and unpacked the Helm chart to a local directory, you can just place files named cert.pem and key.pem into the root directory of your Helm chart.

  4. Perform Helm installation as shown in the general installation guide.

SSL Configuration for Zing Clients

Running Zing Clients with SSL

By default, Zing connects to Optimizer Hub using SSL.

Make sure the service certificate is trusted by the client machine where you run Zing. This can be achieved by having the certificate signed by a publicly trusted certificate authority. If you have an internal CA trusted within the company infrastructure, make sure it is trusted.

To make sure an authority is trusted usually involves copying its certificate file to /usr/local/share/ca-certificates/ or /etc/ssl/certs/. The exact path and process depends on your OS distribution. Follow the instructions for your OS distribution to register the certificate on your client machine. For example, on Ubuntu-based distributions you run the following command:

 
sudo openssl x509 -in {path to cert.pem} -inform PEM -out /usr/local/share/ca-certificates/cert.crt
sudo update-ca-certificates

Alternatively, you can explicitly instruct Zing to use and trust a specified certificate on the filesystem by using the -XX:OptHubSSLRootsPath={path to cert.pem} flag.

If certificate validation fails, your .pem file is missing or does not match the certificate that you uploaded to Optimizer Hub, you get the following error:

 
[1.856s][info][concomp] [gRPCEvent] read error!
[1.856s][info][concomp] [gRPC processing] BidiStreamWrapper is dying, finishing stream 0x7fbec00180f0 with status: failed to connect to all addresses (14)

Running Zing Clients without SSL

Note
 Using Optimizer Hub without SSL must only be used for testing.

If you installed Optimizer Hub without enabling SSL, you must use the -XX:-OptHubUseSSL flag to instruct Zing to allow unsecured connections to Optimizer Hub.

Note
 Before version 1.8.0 the flag was called -XX:+/-CNCInsecure. Because of this change, you need to review your settings.

If you attempt to connect to a Optimizer Hub that is running without SSL and do not specify the -XX:-OptHubUseSSL flag, you get the following error:

 
E1011 13:16:23.198074100      29 ssl_transport_security.cc:1446]
Handshake failed with fatal error SSL_ERROR_SSL:
error:1408F10B:SSL routines:ssl3_get_record:wrong version number.