GCM Connector

This section details how to configure the Google Certificate Manager Connector.

Required By

GCM Trigger

Prerequisites

On Horizon side, you might need to set up a Proxy , used to reach GCM, if necessary.

On Google Cloud side, you need to create a service account using the IAM, and grant that SA the appropriate permissions, as documented here. Typically, these can be granted through the Certificate Manager Editor role (roles/certificatemanager.editor), or through the individual following permissions:

  • certificatemanager.certs.create

  • certificatemanager.certs.list

  • certificatemanager.certs.get

  • certificatemanager.certs.update

  • certificatemanager.certs.delete

After performing these steps, you will get the following information, required later:

  • the GCP Project

  • the GCP Location

  • the GCP Service Account Email

  • the GCP Service Account Private Key

How to configure GCM Connector

1. Log in to Horizon Administration Interface.

2. Access GCM Connectors from the drawer or card: Third Parties  GCM  Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

General

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • GCM Service Account Credentials* (select):
    Select API Token credentials containing the authentication information.

  • Proxy (string select):
    The HTTP/HTTPS proxy to use.

  • Timeout (finite duration):
    Set by default at 10 seconds. Must be a valid finite duration.

Assets identification

  • Project name* (string input):
    Name of the GCM project.

  • Location* (string input):
    Location of the GCM server.

  • Label (string inputs):
    Used to filter the certificates managed by Horizon in GCM.

    • Key (string input):
      The label key. manage by default.

    • Value (string input):
      The label value. horizon by default.

Actors and renewal management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be a valid finite duration.

  • Throttle parallelism* (int):
    Set by default at 3.

  • Renewal period* (finite duration):
    Must be a valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the GCM Connector.

You will not be able to delete a GCM Connector if it is referenced in any other configuration element.

Synchronize your third party

Your third-party certificates can be synchronized with Horizon using scheduled tasks.

Scheduled tasks are a functionality of WebRA that allows to synchronize automatic renewal or revocation events with a third party periodically with what occurs on a WebRA profile. To be more specific, it will periodically check whether the certificate has entered the "renewal period" that was defined in the connector’s configuration, and renew it automatically if necessary.

1. Refer to the third party connector documentation to create a third party connector.

2. Ensure you have an existing WebRA Profile: renewal will be automated on the selected profile.

3. Follow the documentation of the WebRA Scheduled Tasks section to properly configure a scheduled task.