diff --git a/ee/dtr/admin/configure/enable-single-sign-on.md b/ee/dtr/admin/configure/enable-single-sign-on.md index a0d784955a..d940e3d0bb 100644 --- a/ee/dtr/admin/configure/enable-single-sign-on.md +++ b/ee/dtr/admin/configure/enable-single-sign-on.md @@ -13,18 +13,51 @@ To only authenticate once, you can configure DTR to have single sign-on (SSO) wi ## At install time -When [installing DTR](/reference/dtr/2.7/install/), pass the `--dtr-external-url ` -option to enable SSO. This makes it so that when you access DTR's web interface, you are redirected to the UCP login page for authentication. Upon successfully logging in, you are then redirected to your specified DTR external URL during installation. +When [installing DTR](/reference/dtr/2.7/install/), pass `--dtr-external-url ` to enable SSO. [Specify the Fully Qualified Domain Name (FQDN)](/use-your-own-tls-certificates/) of your DTR, or a load balancer, to load-balance requests across multiple DTR replicas. -[Specify the Fully Qualified Domain Name (FQDN)](/use-your-own-tls-certificates/) of your DTR, or a load balancer, to load-balance requests across multiple DTR replicas. + +```bash +docker run --rm -it \ +{{ page.dtr_org }}/{{ page.dtr_repo }}:{{ page.dtr_version }} install \ +--dtr-external-url dtr.example.com \ +--dtr-cert "$(cat cert.pem)" \ +--dtr-ca "$(cat dtr_ca.pem)" \ +--dtr-key "$(cat key.pem)" \ +--ucp-url ucp.example.com \ +--ucp-username admin \ +--ucp-ca "$(cat ucp_ca.pem)" +``` + +This makes it so that when you access DTR's web user interface, you are redirected to the UCP login page for authentication. Upon successfully logging in, you are then redirected to your specified DTR external URL during installation. ## Post-installation +### Web user interface + 1. Navigate to `https://` and log in with your credentials. 2. Select **System** from the left navigation pane, and scroll down to **Domain & Proxies**. 3. Update the **Load balancer / Public Address** field with the external URL where users should be redirected once they are logged in. Click **Save** to apply your changes. 4. Toggle **Single Sign-on** to automatically redirect users to UCP for logging in. + ![](/ee/dtr/single-sign-on-1.png){: .with-border} + + + +### Command line interface + +You can also enable single sign-on from the command line by reconfiguring your DTR. To do so, run the following: + +```bash +docker run --rm -it \ +{{ page.dtr_org }}/{{ page.dtr_repo }}:{{ page.dtr_version }} reconfigure \ +--dtr-external-url dtr.example.com \ +--dtr-cert "$(cat cert.pem)" \ +--dtr-ca "$(cat dtr_ca.pem)" \ +--dtr-key "$(cat key.pem)" \ +--ucp-url ucp.example.com \ +--ucp-username admin \ +--ucp-ca "$(cat ucp_ca.pem)" +``` ## Where to go next diff --git a/ee/dtr/admin/configure/license-your-installation.md b/ee/dtr/admin/configure/license-your-installation.md index 4bd307b823..c96568e876 100644 --- a/ee/dtr/admin/configure/license-your-installation.md +++ b/ee/dtr/admin/configure/license-your-installation.md @@ -28,27 +28,7 @@ key. ![](/ee/dtr/images/license-2.png){: .with-border} -## View licensing information - -You can send a `GET` request to `api/v0/admin/settings/license` to view more details on the license applied to your DTR. Use your DTR Fully Qualified Domain Name (FQDN) as the base URL for your API request. - -### Example API request -```bash -curl -u docker:$TOKEN -X GET "https://34.219.67.189/api/v0/admin/settings/license -H "accept: application/json" -``` - -### Example API response -```json -{ - "is_valid": true, - "auto_refresh": false, - "scanning_enabled": true, - "expiration": "2019-07-09T22:26:01Z", - "key_id": "2SDaULA3xBvQ8Hrp-05-7_JPrWdthGINT0ZI3ArdhAK6", - "tier": "Advanced", - "type": "Offline" -} -``` +Within **System > General** under the **License** section, you should see the tier, date of expiration, and ID for your license. ## Where to go next diff --git a/ee/dtr/admin/configure/use-your-own-tls-certificates.md b/ee/dtr/admin/configure/use-your-own-tls-certificates.md index da46d1d4b9..e6478d5021 100644 --- a/ee/dtr/admin/configure/use-your-own-tls-certificates.md +++ b/ee/dtr/admin/configure/use-your-own-tls-certificates.md @@ -33,7 +33,7 @@ Click **Save** to apply your changes. If you've added certificates issued by a globally trusted CA, any web browser or client tool should now trust DTR. If you're using an internal -CA, you will need to configure your system to trust that +CA, you will need to configure the client systems to trust that CA. ### Command line interface diff --git a/ee/dtr/images/single-sign-on-1.png b/ee/dtr/images/single-sign-on-1.png new file mode 100644 index 0000000000..c41d8970ec Binary files /dev/null and b/ee/dtr/images/single-sign-on-1.png differ diff --git a/ee/enable-client-certificate-authentication.md b/ee/enable-client-certificate-authentication.md index 112f295a80..4466534554 100644 --- a/ee/enable-client-certificate-authentication.md +++ b/ee/enable-client-certificate-authentication.md @@ -6,11 +6,11 @@ keywords: PKI, Client Certificates, Passwordless Authentication, Docker Enterpri ## Overview -In many organizations, authenticating to systems with a username and password combination is either restricted or outright prohibited. With Docker Enterprise 3.0, you can manage user authentication with your own public key infrastructure (PKI) using a pool of X.509 client certificates in lieu of usernames and passwords. +In many organizations, authenticating to systems with a username and password combination is either restricted or outright prohibited. With Docker Enterprise 3.0, UCP's [CLI client certificate-based authentication](/ee/ucp/user-access/cli/) has been extended to the web user interface (web UI). DTR has also been enhanced to work with UCP's internally generated client bundles for client certificate-based authentication. If you have an external public key infrastructure (PKI) system, you can manage user authentication using a pool of X.509 client certificates in lieu of usernames and passwords. ## Benefits -The following table outlines existing and added capabilities when using client certificates issued by an external certificate authority (CA) for authentication. +The following table outlines existing and added capabilities when using client certificates — both internal to UCP and issued by an external certificate authority (CA) — for authentication. | Operation | Benefit | | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -114,7 +114,7 @@ Note: The above configuration means that Docker Engine will use the same client ## Image signing -DTR includes [two containers](/ee/dtr/architecture/#dtr-internal-components), `` and ``, which provide the required components for using Docker Content Trust (DCT) out of the box. In some cases, you need to additionally set an environment variable, `DOCKER_CONTENT_TRUST`, to `1`. +DTR provides the Notary service for using Docker Content Trust (DCT) out of the box. @@ -168,17 +168,23 @@ API by passing a public certificate and private key pair instead of your DTR username and password/authentication token. ```bash - curl --cert cert.pem --key key.pem -X GET -"https:///api/v0/repositories?pageSize=10&count=false" -H "accept: -application/json" +curl --cert cert.pem --key key.pem -X GET \ +"https:///api/v0/repositories?pageSize=10&count=false" \ +-H "accept:application/json" ``` In the above example, `cert.pem` contains the public certificate and `key.pem` contains the private key. For non-admin users, you can generate a client bundle from UCP or contact your administrator for your public and private key pair. +For Mac-specific quirks, see [curl on certain macOS versions](#curl-on-certain-macos-versions). + ## Notary CLI operations with DTR -To use your PKI's TLS certificates to establish mutual trust between the Notary client and your trusted registry (DTR) using the Notary CLI, place your DTR's server CA and TLS client certificates in `/.docker/tls//` as `ca.crt`, `client.cert`, and `client.key`. Pass the FQDN or publicly accessible IP address of your registry along with the TLS client certificate options to the Notary client. To get started, see [Use the Notary client for advanced users](/notary/advanced_usage/). +For establishing mutual trust between the Notary client and your trusted registry (DTR) using the Notary CLI, place your TLS client certificates in `/.docker/tls//` as `client.cert` and `client.key`. Note that the filenames must match. Pass the FQDN or publicly accessible IP address of your registry along with the TLS client certificate options to the Notary client. To get started, see [Use the Notary client for advanced users](/notary/advanced_usage/). + +> ### Self-signed DTR server certificate +> +> Also place `ca.crt` in `/.docker/tls//` when you're using a self-signed server certificate for DTR. ## Troubleshooting tips @@ -215,7 +221,7 @@ If successfully configured, you should see `TLSClientCertificate` listed as the Avoid adding DTR to Docker Engine's list of insecure registries as a workaround. This has the side effect of disabling the use of TLS certificates. -### x509 certificate errors +### DTR server certificate errors #### Example Error @@ -223,10 +229,20 @@ Avoid adding DTR to Docker Engine's list of insecure registries as a workaround. Error response from daemon: Get https://35.165.223.150/v2/: x509: certificate is valid for 172.17.0.1, not 35.165.223.150 ``` -- On the web user interface, make sure to add the IP or the FQDN associated with your custom TLS certificate under **System > General > Domains & Proxies**. +- On the web UI, make sure to add the IP address or the FQDN associated with your custom TLS certificate under **System > General > Domains & Proxies**. - From the command line interface, [reconfigure DTR](/reference/dtr/2.7/cli/reconfigure/) with the `--dtr-external-url` option and the associated PEM files for your certificate. ### Intermediate certificates -For chain of trust which includes intermediate certificates, you may optionally add those certificates when installing or reconfiguring DTR with `--enable-client-cert-auth` and `--client-cert-auth-ca`. +For chain of trust which includes intermediate certificates, you may optionally add those certificates when installing or reconfiguring DTR with `--enable-client-cert-auth` and `--client-cert-auth-ca`. You can do so by combining all of the certificates into a single PEM file. + +### curl on certain macOS versions + +Some versions of macOS include `curl` which only accepts `.p12` files and specifically requires a `./` prefix in front of the file name if running `curl` from the same directory as the `.p12` file: + +``` +curl --cert ./client.p12 -X GET \ +"https:///api/v0/repositories?pageSize=10&count=false" \ +-H "accept:application/json" +``` diff --git a/ee/ucp/admin/configure/use-your-own-tls-certificates.md b/ee/ucp/admin/configure/use-your-own-tls-certificates.md index f33ef805aa..13e32cd636 100644 --- a/ee/ucp/admin/configure/use-your-own-tls-certificates.md +++ b/ee/ucp/admin/configure/use-your-own-tls-certificates.md @@ -45,6 +45,10 @@ certificates, in this order. * A `key.pem` file with TLS private key. Make sure it is not encrypted with a password. Encrypted keys should have `ENCRYPTED` in the first line. +After replacing the TLS certificates, your users will not be able to authenticate +with their old client certificate bundles. Ask your users to access the UCP +web UI and [download new client certificate bundles](../../user-access/cli.md). + As of UCP v3.2, the **Certificates** page includes a new text field, ***Client CA***, that allows you to paste or upload one or more custom root CA certificates which the UCP Controller will use to verify the authenticity of client certificates issued by your corporate or @@ -52,9 +56,6 @@ trusted third-party CAs. Note that your custom root certificates will be appende Finally, click **Save** for the changes to take effect. -After replacing the TLS certificates, your users will not be able to authenticate -with their old client certificate bundles. Ask your users to access the UCP -web UI and [get new client certificate bundles](../../user-access/cli.md). If you deployed Docker Trusted Registry, you'll also need to reconfigure it to trust the new UCP TLS certificates.