Deploy the Console
This article is about enabling the console on a controller that is running in a container.
-
Configure the controller
The console's
zac
binding must be on the same web listener as the controller's management API, i.e., theedge-management
binding.
- binding: zac
options:
location: /ziti-console
indexFile: index.htmllocation
is the filesystem path to the static files of the console. In the controller container, the usual path is/ziti-console
.indexFile
property is the entry point to the console.
-
To apply the changes, the controller must be restarted.
-
Visit the console at
/zac/
on the controller's address.The console is now available at
https://<fqdn>:<port>/zac/
. -
Log in to the console.
The only available authentication method for the console SPA is username and password.
-
Console certificate option - The console is served from the controller's API and can be used with the default API certificate. The controller can be configured to present a different certificate for the console when the API is accessed by a distinct URL for the console. For more information about using alternative server certs with the controller, see: the configuration reference for the
identity
property.
Upgrade
The controller container includes the latest version of the console. You can instead mount console versions >= 3.0.0.
-
Download a release.
wget https://github.com/openziti/ziti-console/releases/latest/download/ziti-console.zip
-
Unzip the static files and set read and list permission.
unzip -d ./ziti-console ./ziti-console.zip
chmod -R a+rX ./ziti-console -
Mount the console files read-only on the controller container.
services:
ziti-controller:
volumes:
- ./ziti-console:/ziti-console:ro -
Restart the controller service to apply the changes.
docker compose up ziti-controller --force-recreate
Authenticate with an Admin Client Certificate
-
Enroll an admin identity. Link to instructions
-
Unwrap the JSON file to obtain the certificate and private key.
ziti ops unwrap admin2.json
-
Compose a keystore from the certificate and private key. The
-legacy
flag is necessary when importing the keystore into some versions of macOS Keychain Access.openssl pkcs12 -export -in admin2.cert -inkey admin2.key -out admin2.p12 -name "admin2" -legacy -password 'pass:mypassword'
-
Import the keystore:
-
macOS: Import into System Keychain via Keychain Access application for Google Chrome. You can run a terminal command or double-click the keystore file or drag it onto the login keychain to import it.
security import admin2.p12 -k ~/Library/Keychains/login.keychain -T /Applications/Google\ Chrome.app -P 'mypass'
-
Windows: Import into the Windows Certificate Store (Personal store) via certmgr.msc.
-
Linux: Import into your browser's certificate store or system certificate store (e.g., Chrome Settings > Privacy and Security > Security > Manage certificates).
-
-
Visit the console in your web browser. The browser will prompt with a list of imported client certificates. Select the one you imported in the previous step.
-
Press the "LOGIN" button without entering a password.