1.1. Before You Start¶
This guide assumes you have an Azure account with an active Azure subscription.
1.1.1. Credentials involved¶
Several passwords and secrets are required by the inoQulate solution and automatically generated for you. Each of these passwords and secrets are 30 random alphanumeric characters stored as Kubernetes Secrets in your AKS cluster.
To see the actual value of the secrets or passwords, run the command in the Read Value Column in your cluster. See How do I run commands on my Kubernetes cluster?.
A summary of all generated passwords and secrets is in the following table.
Credentials |
Purpose |
Read Value Command |
|---|---|---|
Password for Database Admin |
Access the PostgreSQL database as an admin. This database stores the configuration of EJBCA and Signserver. |
kubectl get secret \
db-admin-creds \
-o jsonpath=\
'{.data.password}' |
base64 --decode
|
Database Password for EJBCA |
For the EJBCA application to access the database. EJBCA accesses the database |
kubectl get secret \
ejbca-creds \
-o jsonpath=\
'{.data.dbpassword}' |
base64 --decode
|
Database Username for Signserver |
For the Signserver application to access the database. Signserver accesses the database |
kubectl get secret \
signserver-creds \
-o jsonpath=\
'{.data.dbpassword}' |
base64 --decode
|
Trust Store Password |
For the Java Truststore of the service runner to store TLS certificates of Signserver. |
kubectl get secret \
servicerunner-truststore-creds \
-o jsonpath=\
'{.data.password}' |
base64 --decode
|
Client Cert Password |
The password for the Client Certificate ( |
kubectl get secret \
superadmin-creds \
-o jsonpath=\
'{.data.password}' |
base64 --decode
|
Signserver TLS Keystore Password |
The password to the Java Keystore holding the TLS Certificate for the Signserver. |
kubectl get secret \
signserver-creds \
-o jsonpath=\
'{.data.tlspassword}' |
base64 --decode
|
EJBCA SoftHSM SO PIN |
The PIN to access the management functions of the SoftHSM installed in the EJBCA application. |
kubectl get secret \
ejbca-creds \
-o jsonpath=\
'{.data.softhsmsopin}' |
base64 --decode
|
EJBCA User PIN |
The PIN to use the cryptographic keys of the SoftHSM installed in the EJBCA application. |
kubectl get secret \
ejbca-creds \
-o jsonpath=\
'{.data.softhsmuserpin}' |
base64 --decode
|
Signserver SO PIN |
The PIN to access the management functions of the SoftHSM installed in the Signserver application. |
kubectl get secret \
signserver-creds \
-o jsonpath=\
'{.data.softhsmsopin}' |
base64 --decode
|
Signserver User PIN |
The PIN to use the cryptographic keys of the SoftHSM installed in the Signserver application. |
kubectl get secret \
signserver-creds \
-o jsonpath=\
'{.data.softhsmuserpin}' |
base64 --decode
|
Signserver Entity Password |
The password used to register Signserver as an application under the new CA. |
kubectl get secret \
signserver-creds \
-o jsonpath=\
'{.data.entitypassword}' |
base64 --decode
|
1.1.2. Register Resource Providers¶
There are certain Azure resource providers required in deploying our inoQulate solution:
Microsoft.ContainerServiceMicrosoft.OperationsManagement
Please register the above providers before subscribing to our inoQulate solution.
In the Azure portal, enter
Subscriptionsin the search box. Select Subscriptions.Click the subscription you intend to deploy the solution in.
In the left sidebar, under the Settings section, click Resource providers.
For each of the above providers, if it is not registered, click Register at the top.