Console Deployment
Installation
Install the Package
The package installs the console files in /opt/openziti/share/console
.
sudo apt install openziti-console
Or, configure the package repository and install with this one-liner.
curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti-console
Install from GitHub
Console versions >= 3.0.0 from GitHub may be used.
-
Download a release.
wget https://github.com/openziti/ziti-console/releases/latest/download/ziti-console.zip
-
Unzip in a directory that is mounted the controller's filesystem namespace.
sudo mkdir -p /opt/openziti/share/console
sudo unzip -d /opt/openziti/share/console ./ziti-console.zip
Configuration
-
In /var/lib/ziti-controller/config.yml, ensure you have an API binding
zac
on the same web listener whereedge-management
is bound. Ensure thelocation
matches the path to the console files.- binding: zac
options:
location: /opt/openziti/share/console
indexFile: index.html -
Restart the controller service if you edited the configuration.
sudo systemctl restart ziti-controller.service
-
Visit the controller's web address in a browser to access the console.
https://ctrl.ziti.example.com:1280/zac/
-
Console certificate option - The console is served from the controller's API and can be used with the default API certificate. The controller can be configured to present a different certificate for the console when the API is accessed by a distinct URL for the console. For more information about using alternative server certs with the controller, see: the configuration reference for the
identity
property.
Authenticate with an Admin Client Certificate
-
Enroll an admin identity. Link to instructions
-
Unwrap the JSON file to obtain the certificate and private key.
ziti ops unwrap admin2.json
-
Compose a keystore from the certificate and private key. The
-legacy
flag is necessary when importing the keystore into some versions of macOS Keychain Access.openssl pkcs12 -export -in admin2.cert -inkey admin2.key -out admin2.p12 -name "admin2" -legacy -password 'pass:mypassword'
-
Import the keystore:
-
macOS: Import into System Keychain via Keychain Access application for Google Chrome. You can run a terminal command or double-click the keystore file or drag it onto the login keychain to import it.
security import admin2.p12 -k ~/Library/Keychains/login.keychain -T /Applications/Google\ Chrome.app -P 'mypass'
-
Windows: Import into the Windows Certificate Store (Personal store) via certmgr.msc.
-
Linux: Import into your browser's certificate store or system certificate store (e.g., Chrome Settings > Privacy and Security > Security > Manage certificates).
-
-
Visit the console in your web browser. The browser will prompt with a list of imported client certificates. Select the one you imported in the previous step.
-
Press the "LOGIN" button without entering a password.