Update the SSL Options for UI

This page explains how to update volume mounts and configure SSL options to secure the Pulse Web UI.

It covers how to:

Update volume mounts to provide access to SSL files.
Manage SSL certificates using symlinks for automatic renewal.
Specify custom SSL_KEYDIR and SSL_CERTDIR paths.
Use the SSL_PASSPHRASE variable for password-protected private keys.

These steps ensure that Pulse securely accesses the required SSL/TLS certificates inside the container and keeps them up to date.

Update Volume Mounts in ad-core.yml for ad-graphql

To enable secure access to SSL/TLS certificates and internal security keys, the ad-graphql service requires access to specific directories on the host system. This is achieved by configuring volume mounts in the ad-core.yml file.

Volume mounts allow the container to read files from the host file system without embedding them directly into the image.

Required Mounts

The following host directories must be mounted into the ad-graphql container:

Host Path	Description	Mount Mode
/etc/letsencrypt/live/pulse.company.com	Contains SSL/TLS certificates issued by Let’s Encrypt for pulse.company.com.	Read-only
/opt/security/pki/	Contains internal PKI files or security certificates required for secure inter-service communication.	Read-only

Configuration

Update the ad-core.yml file under the ad-graphql service definition to include the following volume mounts:

Bash
    
 
services:  ad-graphql:    image: <graphql-image-name>    container_name: ad-graphql    restart: always    volumes:      - _etc_letsencrypt_live_pulse.company.com:_etc_letsencrypt_live_pulse.company.com:ro      - _opt_security_pki_:_opt_security_pki_:ro    # other existing configuration (ports, environment, etc.)
Copy

Use the:ro (read-only) flag to prevent modification of sensitive certificate files.
Ensure that the host paths exist and the container has appropriate read permissions.
If you are using Docker Compose, apply the updated configuration by running
- docker-compose -f ad-core.yml up -d ad-graphql
For Kubernetes-based deployments, the equivalent configuration should be applied via volume and volumeMounts definitions in the Deployment or Pod spec.

Using Symlinks for Certificates

A symlink (symbolic link) is a shortcut that points to your real certificate file — useful if your certificates are managed by another service or auto-renewed (like Let’s Encrypt).

Example:

Bash
    
 
ln -s _etc_letsencrypt_live_pulse.company.com_fullchain.pem _opt_security_pki_ssl.crtln -s _etc_letsencrypt_live_pulse.company.com_privkey.pem _opt_security_pki_ssl.key
Copy

Pulse still reads ssl.crt and ssl.key, but those files point to the latest certificates automatically.

Using a Custom SSL Key and Certificate Directories

If your SSL certificate and key files are stored in a custom directory, point to that path using the SSL KEYDIR and SSL CERTDIR variables in the ad-core.yml > graphql section.

Example:

Bash
    
 
- SSL_KEYDIR=_opt_security_pki_- SSL_CERTDIR=_opt_security_pki_
Copy

The certificate directory must be accessible to the Pulse container user (user-id: 1000).> > Ensure the directory is mounted inside the container and readable by the Pulse services.

Using SSL_PASSPHRASE

If your SSL private key file (ssl.key) is password-protected, provide that password using the SSL_PASSPHRASE environment variable in the ad-core.yml > graphql section.

Bash
    
 
- SSL_PASSPHRASE=MySecretPassphrase
Copy

This allows Pulse to automatically unlock and use the SSL private key when starting the web service.

Example Configuration

This example section describes how to configure the ad-graphql service to use SSL certificates through symbolic links (symlinks).

This configuration maintains read-only access to PKI-managed certificate directories while allowing writable symlink management inside the container.

Before you begin

Ensure that PKI-managed SSL files are available under: /opt/security/pki/nodes/barclays-pulse.acceldata.com/certs and /opt/security/pki/nodes/barclays-pulse.acceldata.com/private
Confirm that the ad-graphql Docker image supports shell commands for creating symlinks.

Steps

Open the ad-core.yml file.
Locate the ad-graphql service section.
Update the configuration with the following example to create writable symlinks.

Bash
    
​x
    
ad-graphql:                             # Service definition for the ad-graphql componentimage: ad-graphql                       # Docker image for GraphQL servicecontainer_name: ""                      # Optional container name​environment:                            # Environment variables for DB, SSL, LDAP, and feature flags- MONGO_URI=<uri>- MONGO_ENCRYPTED=true- MONGO_SECRET=<secret>- UI_PORT=4000- LDAP_HOST=ad-ldap- LDAP_PORT=19020- SSL_ENFORCED=true- SSL_ENABLED=true- SSL_KEYDIR=_etc_acceldata_ssl2- SSL_KEYFILE=ssl.key- SSL_CERTDIR=_etc_acceldata_ssl2- SSL_CERTFILE=ssl.crt- SSL_PASSPHRASE=""- SSL_UI_PORT=4000- DS_HOST=ad-query-estimation- OTEL_JAVAAGENT_ENABLED=false- DS_PORT=8181- ES_USERNAME=pulse- ES_PASSWORD=<elastic password>- DOWNLOAD_PATH_LARGE_JOBS=_tmp_downloads- 'FEATURE_FLAGS={ "ui_regex": { "regex": "ip-([^.]+)", "index": 1 }, "rename_nav_labels":{},"timezone": "", "experimental": true, "themes": false, "hive_const":{ "HIVE_QUERY_COST_ENABLED":false, "HIVE_MEMORY_GBHOUR_COST": 0, "HIVE_VCORE_HOUR_COST": 0 }, "spark_const":{ "SPARK_QUERY_COST_ENABLED": false, "SPARK_MEMORY_GBHOUR_COST": 0, "SPARK_VCORE_HOUR_COST":0 }, "queryRecommendations": false, "hostIsTrialORLocalhost": false, "data_temp_string":"" }'​volumes:                                # Volume mounts for SSL, PKI, and local data directories- _etc_localtime:_etc_localtime:ro- _etc_hosts:_etc_hosts:ro- _etc_acceldata_ssl2:_etc_acceldata_ssl:ro- _opt_security_pki_nodes_barclays-pulse.acceldata.com_certs:_opt_security_pki_nodes_barclays-pulse.acceldata.com_certs:ro- _opt_security_pki_nodes_barclays-pulse.acceldata.com_private:_opt_security_pki_nodes_barclays-pulse.acceldata.com_private:ro- _data01_acceldata_data_graphql:_tmp_downloads​ulimits: {}                             # Resource limits configuration (none set)​ports:                                  # Network ports exposed to the host- 4000:4000​depends_on:                             # Service dependency ensuring ad-db starts first- ad-db​opts: {}                                # Additional Docker options placeholder​restart: ""                             # Restart policy (not defined)​extra_hosts: []                         # Custom host-to-IP mappings if needed​network_alias: []                       # Network aliases for service discovery
Copy

Verification

To confirm the symlinks are created correctly, run:

Bash
    
 
docker exec -it ad-graphql ls -l _etc_acceldata_ssl
Copy

Expected output:

Bash
    
 
ssl.crt -> _opt_security_pki_nodes_barclays-pulse.acceldata.com_certs_ssl.crtssl.key -> _opt_security_pki_nodes_barclays-pulse.acceldata.com_private_ssl.key
Copy

The writable GraphQL-SSL volume allows safe symlink creation inside the container.
The PKI directories remain read-only for security.
Update the paths in ln -sf if your certificate or key names differ.
Ensure the startup command matches the entry point of your image.
This setup supports automatic certificate renewal (e.g., via Let’s Encrypt).

Summary

Variable	Purpose
Volume Mounts	Make host directories (e.g., /etc/letsencrypt/... and /opt/security/pki/) accessible inside the container so the Pulse services can read SSL files.
Symlinks	Keep Pulse certificates updated automatically by linking to renewed certificates (e.g., Let’s Encrypt).
SSL_KEYDIR / SSL_CERTDIR	Define where the SSL certificate and key files are located inside the container.
SSL_PASSPHRASE	Unlock password-protected private keys for use by the Pulse Web UI.
SSL_ENABLED / SSL_ENFORCED	Enable and enforce HTTPS for secure UI and API access.

Last updated on

Was this page helpful?