In this article, you will learn how to find out whether your local (on-premises) edoc platform system is protected by a firewall with TLS inspection (SSL inspection).
This special type of firewall decrypts the TLS traffic, evaluates the content and encrypts it again with another certificate.
Communication to certain domains or Internet services must be excluded from this encryption. Thus, we ensure that edoc platform can communicate properly with other systems and that the required resources can be made available.
An overview of the internet services that need to be activated can be found here: Active firewall - enable Internet services for edoc platform (on-premises)
Details of the script and the check
The following script is delivered on every edoc platform system:
/opt/agent/scripts/test_fw_ssl_tar.sh
If you use a call without parameters, the certificate issuers of the three domains are checked: sc.edoc.de, k8s.gcr.io, registry.k8s.io
sudo /opt/agent/scripts/test_fw_ssl_tar.sh
If the edoc platform system is not protected by a firewall with TLS inspection or the firewall has been configured correctly, you will receive the following output:
Trying to get certificate from registry.k8s.io
✅ SSL certificate from registry.k8s.io matches the expected issuer. Likely not behind SSL inspection.
Trying to get certificate from sc.edoc.de
✅ SSL certificate from sc.edoc.de matches the expected issuer. Likely not behind SSL inspection.
Trying to get certificate from k8s.gcr.io
✅ SSL certificate from k8s.gcr.io matches the expected issuer. Likely not behind SSL inspection.
With the -i parameter, the container image registry.k8s.io/pause:latest is also downloaded and checked:
sudo /opt/agent/scripts/test_fw_ssl_tar.sh -i
Instead of the pause image in Kubernetes, you can specify a different image after the -i parameter:
sudo /opt/agent/scripts/test_fw_ssl_tar.sh -i $IMAGE_URL
You can obtain an overview and help on the commands of the script with the following command:
sudo /opt/agent/scripts/test_fw_ssl_tar.sh -h
Usage: ./test_fw_ssl_tar.sh [-d domain] [-i image_url]
-d domain The domain to check for SSL certificate (optional, default: sc.edoc.de)
-i image_url The image URL to download (optional, default: registry.k8s.io/pause:latest if -i is used without a value)