From: Trabelsi Tobias Date: Thu, 17 Feb 2022 08:15:04 +0000 (+0100) Subject: SONAR-13505 document use of self signed certificates in SQ docker containers X-Git-Tag: 9.4.0.54424~206 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=be46f86d1051437f6de475881bd95f7a31835539;p=sonarqube.git SONAR-13505 document use of self signed certificates in SQ docker containers --- diff --git a/server/sonar-docs/src/pages/setup/install-server.md b/server/sonar-docs/src/pages/setup/install-server.md index 0e105483682..df3c32949e2 100644 --- a/server/sonar-docs/src/pages/setup/install-server.md +++ b/server/sonar-docs/src/pages/setup/install-server.md @@ -297,3 +297,35 @@ echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security" ``` Please be aware that low values increases the risk of DNS spoofing attacks. + +### Self Signed Certificates of DevOps platforms + +When running in an environment where the DevOps platform or other related tooling is secured by self signed certificates, the CA needs to be added to the java truststore of SonarQube. + +On a zip installation the systems truststore can be found in `$JAVA_HOME/lib/security/cacerts`. In order to add a new certificate to the truststore you can use the following command as an example: + +```bash +keytool -importcert -file $PATH_TO_CERTIFICATE -alias $CERTIFICATE_NAME -keystore /$JAVA_HOME/lib/security/cacerts -storepass changeit -trustcacerts -noprompt +``` + +In our official Docker images you can find the systems truststore in `$JAVA_HOME/lib/security/cacerts`. In order to add new certificates here as well you can: + +* bind mount an existing truststore containing your certificates to `$JAVA_HOME/lib/security/cacerts` + +[[collapse]] +| example: +| +| ```bash +| docker run -d --name sonarqube -v /path/to/your/cacerts.truststore:/usr/lib/jvm/java-11-openjdk/lib/security/cacerts:ro -p 9000:9000 sonarqube +| ``` + +* import your CA certificate the same way as in the zip installation but inside the container. + +If you deploy SonarQube on Kubernetes using the official Helm Chart, you can create a new secret containing your required certificates and reference this via: + +```yaml +caCerts: + enabled: true + image: adoptopenjdk/openjdk11:alpine + secret: your-secret +```