Security-related Parameters
Security-related Parameters
The parameters in the following table are used to provide access and identify required files and information so that ICM can communicate securely with the provisioned nodes and deployed containers. They are all required, in the defaults file only.
-
For information about using scripts provided with ICM to generate these files, see Obtain Security-Related Files.
-
For information about how ICM uses the security files you provide to communicate securely with provisioned nodes and services on them, see ICM Security
-
For general information about using the SSH protocol, see SSH PROTOCOLOpens in a new tab from SSH Communications Security.
-
For information about Docker security. including the use of TLS certificates with Docker, see Docker securityOpens in a new tab in the Docker documentation.
-
For general information about using TLS with InterSystems IRIS, see InterSystems TLS Guide and The InterSystems Public Key Infrastructure. For information about the contents of the file identified by the SSLConfig parameter, see Create a Client Configuration.
-
For information about the use of TLS to secure connections between mirror members, see Securing Mirror Communication with TLS Security.
Parameter | Definition |
---|---|
Provider-specific credentials and account parameters; to see detailed instructions for obtaining the files and values, click the provider link |
|
SSHUser | Nonroot account with sudo access used by ICM for access to provisioned nodes. Root of SSHUser’s home directory can be specified using the Home field. Required value is provider-specific, as follows:
|
SSHPassword | Initial password for the user specified by SSHUser. Required for marketplace Docker images and deployments of type vSphere, Azure, and PreExisting. This password is used only during provisioning, at the conclusion of which password logins are disabled. |
SSHOnly | If true, ICM does not attempt SSH password logins during provisioning, for providers vSphere and PreExisting only. Because this prevents ICM from logging in using a password, it requires that you stage your public SSH key (as specified by the SSHPublicKey field, below) on each node. Default: false. |
SSHPublicKey | Path within the ICM container of the public key of the SSH public/private key pair; required for all deployments. For provider AWS, must be in SSH2 format, for example:---- BEGIN SSH2 PUBLIC KEY --- AAAAB3NzaC1yc2EAAAABJQAAAQEAoa0 ---- BEGIN SSH2 PUBLIC KEY ---For other providers, must be in OpenSSH format, for example:ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoa0 |
SSHPrivateKey | Path within the ICM container of the private key of the SSH public private key pair; required for all deployments in RSA format, for example:-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAoa0ex+JKzC2Nka1 -----END RSA PRIVATE KEY----- |
TLSKeyDir | Directory within the ICM container containing TLS keys used to establish secure connections to Docker, InterSystems Web Gateway, JDBC, and mirrored InterSystems IRIS databases, as follows:
|
SSLConfig | Path within the ICM container to an TLS configuration file used to establish secure JDBC connections. Default: If this parameter is not provided, ICM looks for a configuration file in /TLSKeyDir/SSLConfig.Properties (see previous entry). |
PrivateSubnet | If true, ICM deploys on an existing private subnet, or creates and deploys on a new private subnet, for use with a bastion host; see Deploying on a Private Network. |
WeavePassword | Password used to encrypt traffic over Weave Net; enable encryption by setting to a value other than null in the defaults file. Default: null. |
net_vpc_cidr | CIDR of the existing private network to deploy on; see Deploy Within an Existing Private Network. |
net_subnet_cidr | CIDR of an ICM node’s subnet within an existing private network. |