SSL/TLS Configuration

All communications between Client Applications and Nucleus use a combination of WebSockets and HTTP which allows SSL/TLS can be used to secure the traffic.

Omniverse Clients support both SSL/TLS and non-TLS connections; they detect (and favor) SSL/TLS automatically.

An Enterprise Nucleus Server, however, does not itself provide SSL/TLS termination. This means that even though your deployment can be configured with SSL/TLS, Nucleus itself will not “talk” SSL/TLS: it will still be listening on series of ports, opened as insecure HTTP or WebSocket endpoints.

We rely on a reverse proxy for SSL/TLS connections. Clients connect to the proxy via SSL/TLS, and it forwards their requests to Nucleus over regular, non-secure connections. We call this proxy an Ingress Router.

Non-TLS Clients connect to various Nucleus Components directly - on their ports (e.g., 3009, 3030). With SSL/TLS however, Clients connect to a host - i.e., https://my-nucleus.my-company.com - which is where the Ingress Router is configured. The Ingress Router examines the path of the request - and routes (reverse-proxies) a Client based on that path. This is known as Path-based Routing (PBR).

If a non-SSL Client talks to the Nucleus API for example, it would open a connection to my-nucleus-host.my-company.com, port 3009. With SSL/TLS (and PBR), it will instead connect to https://my-nucleus.my-company.com/omni/api. The host portion of this URL will lead it to the SSL/TLS termination point (Ingress Router), and path (/omni/api) will indicate to the Ingress Router that the request should be reverse-proxied to Nucleus’s port 3009. (Reference the diagram above on how paths correlate to ports.)

Setting up Nucleus with SSL/TLS

In order to enable SSL/TLS for Nucleus, the following items are needed:

• Configure the appropriate network topology

• Configure a reverse proxy to act as an Ingress Router

• Configure the Nucleus Base Stack to be aware of the Ingress Router

Network Topology

Given that Nucleus itself does not terminate SSL/TLS, if strong security is desired, Nucleus should be placed in a network that is not directly accessible by Clients.

A host to run the Ingress Router should be able to freely access Nucleus, and be accessible to Clients on ports TCP 80 and TCP 443.

Configuring Ingress Router

Any reverse proxy can act as an Ingress Router, provided it supports WebSockets, HTTP, path/port redirection, and SSL/TLS. We recommend using NGINX as it’s lightweight and easy to configure.

To make setup easier, we ship a sample NGINX configuration file with the Enterprise Nucleus Server artifact. This configuration can be used as is with minor customization (URLs and IP Addresses), however it can also serve as a guide to configure alternative options as needed.

Additionally, we include an Ingress Router Docker container if you prefer to run it on the Enterprise Nucleus Server itself.

Click the appropriate link below to learn more:

• Configuring the Ingress Router container as part of the Enterprise Nucleus Server

• Configuring the Ingress Router using the sample configuration on a separate server using NGINX

Warning

Omniverse Clients (Apps and Connectors) only support certificates with validated trust chains. Self-signed certificates or certificates with non-matching hostname’s will not work properly with Omniverse Clients and will fail without warning.

To properly configure a Nucleus Enterprise Server in a secured environment, certificates provided by a well-known Certificate Authority (CA) are required. Single domain certificates, multiple domain (SAN) certificates, and wildcard (*) certificates are fully supported.

If your Enterprise relies on an internal PKI (Public Key Infrastructure), this is supported providing the proper trust certificates are deployed to the workstations that connect to the Enterprise Nucleus Server.