A new version of KernelCare ePortal allows using custom paths for certificates and uses system certificates by default, as opposed to the previous version which worked with certificates from certifi lib.
What is KernelCare ePortal?
KernelCare.ePortal is a patch server that runs internally, but outside of your firewall. It acts as a bridge between internal servers and the main KernelCare patch server. This approach is ideal for staging and production environments which need strict isolation from external networks, or which requires stricter control over the patches to be applied. You can learn more about ePortal in KernelCare Technical Whitepaper.
And now, KernelCare team is glad to announce that a new version of ePortal has been released. Here's what has been changed for the best.
"It was tremendous effort to release such a major ePortal version, we worked hard for few months to achieve this result. Hopefully our enterprise customers will feel the difference and their life will be a bit easier."
Mikhail Pobirsky, KernelCare’s Product manager
What's changed in ePortal?
First of all, KernelCare ePortal is now FIPS - compliant. Some of KernelCare clients have the requirements to the systems that allows them to state that they are FIPS 140-2 compliant. Usually it is done on python modules substitution to make sure that md5 is not used for cryptographic purposes. In KernelCare ePortal, such function is used to make sure that the file downloaded from the patch server is not broken and the cryptographic area is not affected. In this new release, we added a beacon to md5 call.
A second major improvement is certification usage logic enhancement. Previously, ePortal has been working with certificates provided by certifi lib. The current release changes this logic. ePortal 1.11-1 uses system certificates by default. To make your transition from previous ePortal version smooth, please, install the ca-certificates package before the update (command is the same for both Centos 6 and Centos 7):
yum -y install ca-certificates
If you encountered any issues with release delivery after new ePortal version installation, you can do the following:
1) You can always switch back to certifi and certificates provided by this library. In this case, please, add USE_CERTIFI=True parameter to /usr/share/kcare-eportal/config/local.py
echo 'USE_CERTIFI = True' >> /usr/share/kcare-eportal/config/local.py
After changing /usr/share/kcare-eportal/config/local.py you need to reboot ePortal following these instructions (dependent from your operating system): https://docs.kernelcare.com/kernelcare-enterprise/#stopping-starting.
Further updates won't require any additional actions from your end. Your certification settings in /usr/share/kcare-eportal/config/local.py will remain unchanged.
2) If you use custom certificates, you need to add CA_BUNDLE variable in /usr/share/kcare-eportal/config/local.py. Specify the path to the directory with your certificates as the value.
For example, the contents of /usr/share/kcare-eportal/config/local.py will look as follows:
CA_BUNDLE = '/my/certificates/directory'
Upgrading ePortal to the new version
If you are already using KernelCare ePortal, run the yum -y install kcare-eportal command to update it to 1.11-1 version.