Deployment Instructions
  • 09 Oct 2024
  • 25 Minutes to read
  • Dark
    Light
  • PDF

Deployment Instructions

  • Dark
    Light
  • PDF

Article summary

Support for on-premises deployments, including those using Containers, ended on December 31, 2023.

For more information, please see our OneSpan Product Life Cycle page, and consult the OneSpan End of Life policy.

For any additional questions contact your Customer Service Representative.


The following sections contain instructions for deploying OneSpan Sign containers:

Before You Begin

Before you begin, you must ensure that your system satisfies the deployment's hardware and software prerequisites.

You must also have installed the following third-party tools:

For information on installing and configuring these tools, click their links in the above list.

We strongly recommend that you block external access to all local paths:

  • /sysinfo/*

  • /esep/admin-console/*

  • /backoffice/*

  • /sso/saml/web/metadata/login

Downloading the OneSpan Sign Helm chart

To download the latest Helm Chart, contact your Customer Service Representative or our our Support Team.

Securing Access to the Docker Registry

Before you begin deploying the containers, you must obtain access to the OneSpan Sign Docker Registry. That will enable you to pull OneSpan Sign Docker images during the Helm installation. To obtain that access, you must create a suitable Kubernetes secret object in your namespace.

The following sample regcred.yaml file illustrates how to declare a registry secret:

apiVersion: v1
data:
  .dockerconfigjson: abcdefghijklmn
kind: Secret
metadata:
  name: regcred
type: kubernetes.io/dockerconfigjso

Once that's done, you can create a Kubernetes secret object in your target namespace:

$ kubectl apply -f regcred.yaml -namespace my-namespace

The above actions must be completed before you continue.

For more information on creating Kubernetes secrets, see Kubernetes Secrets.

Configuring the Helm Chart

The following sections discuss various aspects of configuring the Helm chart:

Specifying a Public URL & Container Registry

OneSpan Sign's installation requires a public service URL and an accurate container registry. The following example illustrates one way of specifying these things:

global:
  publicUrl: "<url>"                                             # Public Edge/Loadbalancer Url
  containerRegistry: "onespan.jfrog.io/oss-onprem-docker-local"  # Global registry for all containers

If you are using a separate repository for each component (as in our jfrog repository), you must provide the repository argument for each component. For example:

envoy-load-balancer:
  repository: oss-gateway

sysinfo:
  repository: oss-system-information

sender-ui:
  repository: oss-sender-ui

signer-ui:
  repository: oss-signer-ui

backend-admin:
  repository: oss-backend-admin

backend:
  repository: oss-backend

backend-database-setup:
  repository: oss-backend-database-setup
  oracleRepository: oss-platform-database-setup

platform:
  repository: oss-platform

platform-admin:
  repository: oss-platform-admin

platform-database-setup:
  repository: oss-platform-database-setup
  oracleRepository: oss-platform-database-setup

aspose-document-converter:
  repository: oss-aspose-pdf-converter

document-engine:
  repository: oss-document-engine

sso:
  enabled: true
  repository: oss-single-sign-on

platform-seed:
  repository: oss-resource-manager-tenant-seeds

Adding SMTP Server External Certificates

The following procedure adds external certificates from an SMTP server to a OneSpan Sign Container environment.

To add external certificates from an SMTP server:

  1. In the my-values.yaml file, update the customCA property to include your SMTP server certificates (e.g., Outlook, Google.com).

    Your custom Certificate Authority (CA) bundle should be in a PEM (Privacy Enhanced Mail) format. It should contain the CA bundle of certificates that are to be trusted by the Java application. This allows the backend or backend-admin to interact with the SMTP service (or any other service).

  2. If this your first time deploying OneSpan Sign Containers, continue with this procedure. If not, see Upgrading the OSS Container Deployment .

  3. Sign in to OneSpan Sign BackOffice. To do so,you must have appropriate administrator privileges. If you do not have these privileges, contact our Support Team. For more information on using BackOffice, see the Application Administrator's Guide.

  4. Update the file email.properties with your SMTP server configuration values. For example:

    {
       "email.endpoint" : "",
      "email.service.type" : "smtpEmailService",
      "email.stmp.host" : "smtp.office365.com",
      "email.stmp.port" : "587",
      "email.username" : "neteskube@outlook.com",
      "email.password" : "vP$Td&4************^En4xxhdD",
      "email.stmp.ssl" : "false",
      "email.stmp.tls" : "true"
    }

Ensure that your domain is not blocked, and that all required ports are open to the cluster's network.

Viewing Default Parameter Values

To view the Helm Chart's default parameter values for OneSpan Sign:

  • Run the following command:

$ helm inspect values oss > default-values.yaml

This creates a default-values.yaml file that contains the default values.

The default-values.yaml file is a good place to start when you create your own customized my-values.yaml file, since it explains most commonly available values. Installing OneSpan Sign Using Helm instructs you to make that customization.

The following default values may be of particular interest:

  • targetDatabaseType: "mysql" — If you choose to use MySQL as the external database provider, you must edit the my-values.yaml file.

  • emailTemplateType: "smtp" — The default Email Service type for OneSpan Sign is SMTP. To receive system notifications, you must specify the following secrets:

    emailAccessUserKey: ""                             
    emailSecretPasswordKey: ""                         
    emailSMTPHostServerName: ""
  • useExternalCertificates: "false" — By default, OneSpan Sign services are configured with self-signed certificates. However, we recommend using external certificates if you are in a non-development environment. For more information, see Installing Certificates.

The Helm Chart for OneSpan Sign supports external database servers. However, if you decide to use an external database server, you must provide the required connection information.

Validating the Helm Chart

Helm can validate a chart by connecting to the Kubernetes API server.

To validate the Helm Chart:

  • Run the following command:

$ helm install --dry-run oss oss \
     -f my-values.yaml --debug \
     --namespace my-namespace

If the validation is successful, it will render the manifest in the form of yamls (Kubernetes resources).

Debugging the Chart Configuration

Helm provides an offline "template" command that is useful for debugging charts, and for testing or previewing a chart configuration. This enables you to: (1) render a Helm Chart without applying its values; (2) then see the resources that the chart would create in your Kubernetes cluster.

To debug the Helm Chart's configuration:

  • Run the following command:

$ helm template --debug oss oss \
    -f my-values.yaml \
    --namespace my-namespace

Installing OneSpan Sign Using Helm

During the installation of Helm, in the background OneSpan Sign creates the following databases:

  • Core Database: A database used by the Core Component

  • OneSpan Sign Application Database: A database used by the OneSpan Sign Application

  • Audit Database: A database used by the Audit Service

During the initial configuration of these databases, there is a data-migration process and then a database-seeding process. These processes initialize basic parameter settings for the various OneSpan Sign components.

For explanations of most common available parameter values, see the file default-values.yaml.

The database-seeding process occurs only during the first upgrade. Any future upgrade will skip this process.

After you have configured and verified the Helm Chart, you can begin customizing your my-values.yaml file.

OneSpan will provide the my-values.yaml file, which you can then customize.

To customize and then apply the my-values.yaml file:  

  1. Inside the file, specify values for the following required parameters:

    • publicUrl

    • containerRegistry

    • For example:

      global:
        publicUrl: "my-oss.mydomain.com"
        containerRegistry: "myregistry.com"
  2. Specify the following values for the load balancer:

    envoy-load-balancer:
     image:
        repository: oss-gateway
     externalCertificateMountPath: "/tmp/certificates"
     externalCertificate: true
     externalPublicKey: |- # If adding external public key to values, put cert underneath |- and not within quotations
     -----BEGIN CERTIFICATE-----
     puclic key in PEM format
     -----END CERTIFICATE-----
     externalPrivateKey: |- # If adding external private key to values, put cert underneath |- and not within quotations
     -----BEGIN RSA PRIVATE KEY-----
     private key in PEM format 
     -----END RSA PRIVATE KEY-----
  3. After your initial setup, several optional components can be installed for the OneSpan Sign service. To specify parameter values for these components, you will need to edit them in the my-values.yaml file. For example:

    sso:
      enabled: true
      
    remote-sign-authenticator:
      enabled: true

    For advice on editing these values, refer to oss/README.md.

  4. Prepare your my-values.yaml file by using the values specified in the section corresponding to the database you plan to use:

  5. To install in the Kubernetes namespace my-namespace a OneSpan Sign release that uses the values specified in your my-values.yaml file, run the following command:

    $ helm install oss oss \
        -f my-values.yaml \
        --namespace my-namespace 

Using LunaHSM

If you are using LunaHSM, then additional configurations need to be made to the my-values.yaml file.

To customize and then apply the my-values.yaml file for use with LunaHSM:

  1. Prepare the my-values.yaml file to deploy OSS helm charts, as described in Configuring the Helm Chart. As LunaHSM interacts with the document engine, you will need to provide the following document engine configurations.  

    document-engine:
      image:
        pullPolicy: Always
        repository: oss/document-engine/project
      ## Parameters for Luna HSM, set when hsm=lunahsm
      hsm: lunahsm
      lunahsm:
        hsmIp:                        # HSM IP address or FQDN, required for Luna Network(on-premise) HSM
        partitionPassword:            # The partition password, required for Luna Network(on-premise) HSM
        partitionIp:                  # The partition name of your Luna HSM, required for Luna Network(on-premise) HSM
        slotId:                       # Slot number of the HSM partition the Luna HSM Client is connecting to
        cuUser:                       # Username for logging into the Luna HSM from the Luna HSM client, required for Luna Network(on-premise) HSM; note: as of this writing, this user must have "admin" user rights
        cuPassword:                   # Password for logging into the Luna HSM from the Luna HSM client, required for Luna Network(on-premise) HSM
        cuClient:                     # Client username registered in the partition if using the Luna Network(on-premise) HSM
        clientPublicIp:               # Public IP of oss kubernetes cluster 
  2. To install in the Kubernetes namespace my-namespace a OneSpan Sign release that uses the values specified in your my-values.yaml file, run the following command:

    $ helm install oss oss \
        -f my-values.yaml \
        --namespace my-namespace 
  3. Login to the Platform Admin Console: https://{host}/esep/admin-console/main/index.htm

  4. Navigate to Manage Settings > PDF Document Engine> Resources and upload the following certificates:

    • ca-sha256-root_cert.pem

    • CMG7_cert.pem

    • intrm-sha256-2_cert.pem

    • privatekeyhandle.pem

  5. Navigate to Manage Settings > PDF Document Engine> Configurations > DocumentEngineSettings.properties and update the following properties:

    CPSFile

    The full path of a *.pem file that contains the PDF Document Engine’s private key

    privatekeyhandle.pem#/opt/gemsigning/safenet/lunaclient/lib/libCryptoki2_64.so#0

    Note: If you have a Luna Network HSM deployment, you must use the following format for this parameter:

    <Key Handle PEM file>#<Absolute Path>/libCryptoki2.so#<slot id>

    However, if you are using slot id = 1 (the default value), and if the libCryptoki library is in its "Luna Client installed location", the format you should use for this parameter is simply <Key Handle PEM file>.

    IntermediateCertificates

    intrm-sha256-2_cert.pem

    SignerCertificate

    CMG7_cert.pem

    TrustedCertificates

    ca-sha256-root_cert.pem

  6. Recycle the document-engine pod.This will sync the configuration changes made in the platform admin console.

Using an Existing Oracle Database

To use your own pre-configured Oracle database, you must provide detailed information that Helm needs to properly connect the database to the server. As described in Step 3 of Installing OneSpan Sign Using Helm, values for the next table's parameters must be merged into the file my-values.yaml.

The database users defined in the database setup containers need full DDL permissions. The database users defined in the backend and platform services need full DML on their respective schemas.

backend-admin:
  targetDatabaseType: "oracle"                       # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle

  oracleDatabaseHost: ""                             # Oracle Database Hostname (Required for external oracle database)
  oracleDatabaseServicePort: ""                      # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521)
  oracleDatabaseUrl: ""                              # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database)
  oracleDatabaseUserName: ""                         # Oracle Backend Username (Required for external oracle database)
  oracleDatabasePassword: ""                         # Oracle Backend User Password (Required for external oracle database)
  oracleDatabaseSchema: ""                           # Oracle Backend Database Schema Name (Required for external oracle database)
  oracleAuditDatabaseSchema: ""                      # Oracle Audit Database Schema Name (Required for external oracle database)

backend:
  targetDatabaseType: "oracle"                       # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle

  oracleDatabaseHost: ""                             # Oracle Database Hostname (Required for external oracle database)
  oracleDatabaseServicePort: ""                      # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521)
  oracleDatabaseUrl: ""                              # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database)
  oracleDatabaseUserName: ""                         # Oracle Backend Username (Required for external oracle database)
  oracleDatabasePassword: ""                         # Oracle Backend User Password (Required for external oracle database)
  oracleDatabaseSchema: ""                           # Oracle Backend Database Schema Name (Required for external oracle database)

backend-database-setup:
  targetDatabaseType: "oracle"                       # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle

  oracleCreateApplicationUsers: ""                   # Boolean Value to Create or not Create Application Users on Oracle Setup (Required for external oracle database)
  oracleCreateTableSpace: ""                         # Boolean Value to Create or not Create Table Spaces on Oracle Setup (Required for external oracle database)
  oracleCreatePlatformSchema: ""                     # Boolean Value to Create or not Create Platform Schema on Oracle Setup (Required for external oracle database)
  oracleDatabaseHost: ""                             # Oracle Database Hostname (Required for external oracle database)
  oracleDatabaseServicePort: ""                      # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521)
  oracleDatabaseUrl:                                 # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database)
  oracleDatabaseSchema:                              # Oracle Backend Database Schema Name (Required for external oracle database)
  oraclePlatformDatabaseSchema: ""                   # Oracle Platform Database Schema Name (Required for external oracle database)
  oracleAuditDatabaseSchema: ""                      # Oracle Audit Database Schema Name (Required for external oracle database)
  oracleDatabaseUserName:                            # Oracle Backend Username (Required for external oracle database)
  oracleAuditDatabaseUser: ""                        # Oracle Audit Username (Required for external oracle database)
  oraclePlatformDatabaseUserName: ""                 # Oracle Platform Username (Required for external oracle database)
  oracleRootPassword: ""                             # Oracle Database Root Password for 'sys' user (Required for external oracle database)
  oracleBackendDatabasePassword: ""                  # Oracle Backend User Password (Required for external oracle database)
  oracleAuditDatabasePassword: ""                    # Oracle Audit User Password (Required for external oracle database)

platform:
  targetDatabaseType: "oracle"                       # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle

  oracleDatabaseHost: ""                             # Oracle Database Hostname (Required for external oracle database)
  oracleDatabaseServicePort: ""                      # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521)
  oracleDatabaseUrl: ""                              # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database)
  oraclePlatformDatabaseUserName: ""                 # Oracle Platform Username (Required for external oracle database)
  oracleDatabasePassword: ""                         # Oracle Platform User Password (Required for external oracle database)
  oracleDatabaseSchema: ""                           # Oracle Platform Database Schema Name (Required for external oracle database)

platform-admin:
  targetDatabaseType: "oracle"                       # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle

  oracleDatabaseHost: ""                             # Oracle Database Hostname (Required for external oracle database)
  oracleDatabaseServicePort: ""                      # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521)
  oracleDatabaseUrl: ""                              # Oracle Database Hostname + Port ex: 'domain.com:1521' (Required for external oracle database)
  oraclePlatformDatabaseUserName: ""                 # Oracle Platform Username (Required for external oracle database)
  oracleDatabasePassword: ""                         # Oracle Platform User Password (Required for external oracle database)
  oracleDatabaseSchema: ""                           # Oracle Platform Database Schema Name (Required for external oracle database)

platform-database-setup:
  targetDatabaseType: "oracle"                       # From the following supported options - 'mysql' (default), 'oraclecontained' for the preconfigured Oracle TestDB, 'oracle' for external Oracle

  oracleDatabaseHost: ""                             # Oracle Database Hostname (Required for external oracle database)
  oracleDatabaseServicePort: ""                      # Oracle Database Host Port (Required for external oracle database IF port is NOT 1521)
  oraclePlatformDatabaseUserName: ""                 # Oracle Platform Username (Required for external oracle database)
  oracleDatabasePassword: ""                         # Oracle Platform User Password (Required for external oracle database)
  oracleBackendDatabaseSchema: ""                    # Oracle Backend Database Schema Name (Required for external oracle database)
  oraclePlatformDatabaseSchema: ""                   # Oracle Platform Database Schema Name (Required for external oracle database)
  oracleRootPassword: ""                             # Oracle Database Root Password for 'sys' user (Required for external oracle database)
  oracleBackendDatabaseUserName: ""                  # Oracle Backend Username (Required for external oracle database)
  oracleBackendDatabasePassword: ""                  # Oracle Backend User Password (Required for external oracle database)
  oracleAuditDatabaseSchema: ""                      # Oracle Audit Database Schema Name (Required for external oracle database)
  oracleAuditDatabaseUserName: ""                    # Oracle Audit Username (Required for external oracle database)
  oracleAuditDatabasePassword: ""                    # Oracle Audit User Password (Required for external oracle database)
  oracleCreateTableSpace: ""                         # Boolean Value to Create or not Create Table Spaces on Oracle Setup (Required for external oracle database)
  oracleCreateApplicationUsers: ""                   # Boolean Value to Create or not Create Application Users on Oracle Setup (Required for external oracle database)
  oracleCreatePlatformSchema: ""                     # Boolean Value to Create or not Create Platform Schema on Oracle Setup (Required for external oracle database)

If using Amazon Relational Database Service (RDS)

If you are using Amazon's Relational Database Service (RDS) then additional parameters must be added to the Oracle parameter listed above. In addition to those parameters, you must add these:

useAmazonRds: "true"                    # Required to be true for external oracle database using Amazon RDS.
awsRdsMasterUserName: "<master user>"   # Required for externa

Manually Creating Table Spaces and Application Users

If you prefer to create table spaces and application users manually, you must set certain values to false. Before you configure those values, you must first create the following:

  • The database platform

  • The Application Database and Audit Database

  • Your users. Each database user must have the permissions to create, alter and drop objects.

Once you've done this, edit your yaml file to set the creation of certain objects to false, as shown here:

yaml
backend-database-setup:
oracleCreateApplicationUsers: "false"                   # Boolean Value to Create or not Create Application Users on Oracle Setup 
oracleCreateTableSpace: "false"                         # Boolean Value to Create or not Create Table Spaces on Oracle Setup 
oracleCreatePlatformSchema: "true"                      # Boolean Value to Create or not Create Platform Schema on Oracle Setup 
oracleRootPassword: ""                                  # Oracle Database Root Password for 'sys' user (Not required when 'oracleCreateApplicationUsers' or 'oracleCreateTableSpace' or 'oracleCreatePlatformSchema' is set to 'false')
oracleDatabaseHost: ""                                  # Oracle Database Hostname
oracleDatabaseServicePort: ""                           # Oracle Database Host Port 
oracleDatabaseUrl:                                      # Oracle Database Hostname + Port ex: 'domain.com:1521' 
oracleDatabaseSchema:                                   # Oracle Backend Database Schema Name 
oraclePlatformDatabaseSchema: ""                        # Oracle Platform Database Schema Name 
oracleAuditDatabaseSchema: ""                           # Oracle Audit Database Schema Name 
oracleDatabaseUserName:                                 # Oracle Backend Username 
oracleAuditDatabaseUser: ""                             # Oracle Audit Username 
oraclePlatformDatabaseUserName: ""                      # Oracle Platform Username 
oracleBackendDatabasePassword: ""                       # Oracle Backend User Password
oracleAuditDatabasePassword: ""                         # Oracle Audit User Password 
  
platform-database-setup:  
oracleCreateTableSpace: "false"                         # Boolean Value to Create or not Create Table Spaces on Oracle Setup 
oracleCreateApplicationUsers: "false"                   # Boolean Value to Create or not Create Application Users on Oracle Setup 
oracleCreatePlatformSchema: "false"                     # Boolean Value to Create or not Create Platform Schema on Oracle Setup 
oracleRootPassword: ""                                  # Oracle Database Root Password for 'sys' user (Not required when 'oracleCreateApplicationUsers' or 'oracleCreateTableSpace' or 'oracleCreatePlatformSchema' is set to 'false')
oracleDatabaseHost: ""                                  # Oracle Database Hostname 
oracleDatabaseServicePort: ""                           # Oracle Database Host Port (IF port is NOT 1521)
oraclePlatformDatabaseUserName: ""                      # Oracle Platform Username 
oracleDatabasePassword: ""                              # Oracle Platform User Password 
oracleBackendDatabaseSchema: ""                         # Oracle Backend Database Schema Name
oraclePlatformDatabaseSchema: ""                        # Oracle Platform Database Schema Name
oracleBackendDatabaseUserName: ""                       # Oracle Backend Username 
oracleBackendDatabasePassword: ""                       # Oracle Backend User Password
oracleAuditDatabaseSchema: ""                           # Oracle Audit Database Schema Name
oracleAuditDatabaseUserName: ""                         # Oracle Audit Username 
oracleAuditDatabasePassword: ""                         # Oracle Audit User Password 	

Using an Existing MS SQL Database

To use your own pre-configured Microsoft SQL Server database, you must provide detailed information that Helm needs to properly connect the database to the server. As described in Step 3 of Installing OneSpan Sign Using Helm, values for the next table's parameters must be merged into the file my-values.yaml.

yaml
backend-admin:
  ## MSSQL Required parameters
  ## To use Your External instance - you must provide all mssql option args
  ## Defaults to configuration of "contained" mssql DB
  targetDatabaseType: "sqlserver"
  flywayJdbcUrl:
  flywayAuditJdbcUrl:
  mssqlHostname:
  mssqlDatabasePort:
  mssqlDatabase:
  mssqlDatabaseSchema:
  mssqlRootUsername:
  mssqlRootPassword:
  mssqlUsername:
  mssqlPassword:
  mssqlDeployUsername:
  mssqlDeployPassword:
  mssqlReadonlyUsername:
  mssqlReadonlyPassword:
  mssqlAuditDatabase:
  mssqlAuditDatabaseUsername:
  mssqlAuditDatabasePassword:
  mssqlAuditDeployDatabaseUsername:
  mssqlAuditDeployDatabasePassword:

backend:
  ## MSSQL Required parameters below.
  targetDatabaseType: "sqlserver"

backend-database-setup:
  ## MSSQL Required parameters below.
  targetDatabaseType: "sqlserver"

platform:
  ## MSSQL Required parameters below. Refer from values.yaml file
  targetDatabaseType: "sqlserver"

platform-admin:
  ## MSSQL Required parameters below. Refer from values.yaml file
  targetDatabaseType: "sqlserver"

platform-database-setup:
  ## MSSQL Required parameters below. Refer from values.yaml file
  targetDatabaseType: "sqlserver"

platform-seed:
  targetDatabaseType: "sqlserver"

Using an Existing MYSQL Database

To use your own pre-configured MySQL database, you must provide detailed information that Helm needs to properly connect the database to the server. As described in Step 3 of Installing OneSpan Sign Using Helm, values for the next table's parameters must be merged into the file my-values.yaml.

backend-admin:
  mysqlDatabaseUserName: "myUser"
  mysqlDatabasePassword: "myPassword"
  mysqlDatabaseHostName: "myHostname"
  mysqlDatabaseServicePort: "3306"

backend:
  mysqlDatabaseUserName: "myUser"
  mysqlDatabasePassword: "myPassword"
  mysqlDatabaseHostName: "myHostname"
  mysqlDatabaseServicePort: "3306"

platform:
  mysqlDatabaseUserName: "myUser"
  mysqlDatabasePassword: "myPassword"
  mysqlDatabaseHostName: "myHostname"
  mysqlDatabaseServicePort: "3306"
  
platform-admin:
  mysqlDatabaseUserName: "myUser"
  mysqlDatabasePassword: "myPassword"
  mysqlDatabaseHostName: "myHostname"
  mysqlDatabaseServicePort: "3306"

Installing Certificates

By default, OneSpan Sign components use self-signed certificates. However, when you are in a non-development environment, we recommend using external certificates.

Which parameters you need to configure is determined by the components to which a customized certificate will be applied.

The following parameters are common to each chart:

  • ExternalCertificates — If you are using an external certificate, set this value to true. Provide the certificate with its externalPublicKey and externalPrivateKey.

  • externalPublicKey

  • externalPrivateKey

The following table describes the certificates used by each component.

Component

Certificate and Secret

Notes

##backend

name: backend-secret-tls

  • variables:

    • tls.crt:

    • tls.key:

name: backend-secret-ca-cert

  • variables:

    • ca-all.cer:

name: externalCertificateCA (see Notes)

To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing.

 

##backend-admin

name: backend-admin-secret-tls

  • variables:

    • tls.crt:

    • tls.key:

name: backend-admin-secret-ca-cert

  • variables:

    • ca-all.cer:

name: externalCertificateCA (see Notes)

To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing.

##document-engine

name: document-engine-cert

  • variables:

    • LOCALHOSTCRT:

    • LOCALHOSTKEY:

name: backend-admin-secret-ca-cert

  • variables:

    • ca-all.cer:

 

##envoy-load-balancer

name: secret-envoy-load-balancer-tls

  • variables:

    • server.crt:

    • server.key:

name: backend-admin-secret-ca-cert

  • variables:

    • ca-all.cer:

 

##platform

name: platform-secret-tls

  • variables:

    • tls.crt:

    • tls.key:

name: platform-secret-ca-cert

  • variables:

    • ca-all.cer:

name: externalCertificateCA (see Notes)

To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing.

##platform-admin

name: platform-admin-secret-tls

  • variables:

    • tls.crt:

    • tls.key:

name: platform-admin-secret-ca-cert

  • variables:

    • ca-all.cer:

name: externalCertificateCA (see Notes)

To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing.

##remote-sign-authenticator

name: remote-sign-authenticator-secret-tls

  • variables:

    • tls.crt:

    • tls.key:

name: remote-sign-authenticator-secret-ca-cert

  • variables:

    • ca-all.cer:

name: Generic

  • variables:

    • ca-all.cer:

name: externalCertificateCA (see Notes)

To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing.

Example: kubectl creates a generic secret.

remote-sign-authenticator-secret-ca-cert --from-file=ca-all.cer

##remote-sign-authenticator

- GovTech

name: remote-sign-authenticator-issuer-cert

  • variables:

    • GOVTECH_ISSUER_CERT:

name: remote-sign-authenticator-root-cert

  • variables:

    • GOVTECH_ISSUER_CERT:

name: Generic

  • variables:

    • ca-all.cer:

The certificate for GovTech can be passed on a single line via the values file, or by using a CLI.

For example:

govTechIssuerCert: "MIIEZDCCA+qgAwIBAgIQKJRkgTsNFqX5YcSkR..." govTechRootCertificate: "MIIEZDCCA+qgAwIBAgIQKJRkgTsNFqX5..."

##sender-ui

name: secret-sender-ui-tls

  • variables:

    • tls.crt:

    • tls.key:

 

##signer-ui

name: secret-signer-ui-tls

  • variables:

    • tls.crt:

    • tls.key:

 

##sso

name: sso-secret-tls

  • variables:

    • tls.crt:

    • tls.key:

name: sso-secret-ca-cert

  • variables:

    • ca-all.cer:

name: externalCertificateCA (see Notes)

To pass CA certificates for this component, you must specify a value for externalCertificateCA. This must be done using Inline Certificate Passing.

##sysinfo

name: secret-sysinfo-tls

  • variables:

    • tls.crt:

    • tls.key:

 

Creating Kubernetes Secret Objects

For more information about secrets, see Managing Secrets using kubectl.

Kubernetes secret objects can be created in the following ways:

Inline Certificate Passing

When you pass a certificate into the values file, you must insert it exactly as it is appears in the actual certificate file. For example:

externalPublicKey: |-
  -----BEGIN CERTIFICATE-----
  MIIEhjCCA26gAwIBAgIBEzANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJDQTEP
  MA0GA1UECAwGUXVlYmVjMRswGQYDVQQKDBJTaWxhbmlzIFRlY2hub2xvZ3kxDDAK
  BgNVBAsMA1ImRDEtMCsGA1UEAwwkVGVzdENlcnQgT3BlblNTTCBTSEEyIEludGVy
		
		...<the rest of the certificate>...

  -----END CERTIFICATE-----

Single Line Certificate Passing

To pass a certificate using a single line, use the following command:

externalCertificate: '---BEGIN CERTIFICATE-\nMIIEhjCCA26gAwIBAgIBEzANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJDQTEP\n .... \nGaIm5+Hw5F9r3g==\n-END CERTIFICATE---\n'

Command Line Certificate Passing

When you create a secret using a command line (CLI), you must reference: (1) the appropriate file on the file system; (2) the appropriate secret, as described above. For example:

kubectl create secret tls <tls secret name> --<certificate variable name>=<certificate file> --<key variable name>=<key file>
kubectl create secret generic <generic secret name> --from-file=<ca bundle file>

Managing Resources

This section describes the following customizations:

Customizing Resource Requests and Limits

You can customize the resource limits and requests for each component by adding appropriate resource values to the Helm Chart. This will overwrite any relevant default setting.

For example, to customize the memory and CPU values, you would add the following to the backend section of your my-values.yaml file:

backend:
  enabled: true
  resources:                # Specify CPU and memory resource limits and requests for this pod
    requests:
      memory: "8G"
      cpu: "4"
    limits:
      memory: "8G"
      cpu: "4"

Customizing JVM Parameters

The OneSpan Sign Helm Chart has pre-defined JVM parameters for the following components:

  • backend

  • backend-admin

  • platform

  • platform-admin

  • aspose-document-converter

In each component's sub-chart, the following configurations appear in the respective values.yaml files:

minJavaHeapSizeInMb: 128
maxJavaMetaspaceSizeInMb: 3072
maxJavaRamPercentage: "80.00"


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant