Форумы

Geek's Notes Universe :: Форумы :: OpenStack

Configure OpenStack and it’s infrastructure services to use SSL

root
[ Истинный ДАО ]
Сообщений: 493
  • 1. MySQL/Galera
  • 2. RabbitMQ
  • 3. Mongo
  • 4. OS services
  • 4.1 Keystone
  • 4.2 Nova
  • 4.3 Glance
  • 4.4 Cinder
  • 4.5 Swift
  • 4.6 Ceilometer
  • 5. HAProxy


Configure OpenStack and it’s infrastructure services to use SSL

Note: newer OpenSSL versions store RSA private key and some additional information in the private key (header and footer of such key in PEM read “BEGIN (END) PRIVATE KEY”), but some applications can’t use such keys as they require a plain RSA private key (header and footer read “BEGIN (END) RSA PRIVATE KEY”).
It is possible to extract RSA key with following command:

openssl rsa -in key.pem -out key_old.pem


1. MySQL/Galera
Create config file (i.e. /etc/mysql/conf.d/ssl.cnf) and point both server and client to their certificates to enable SSL in MySQL:

[client]
ssl_ca=path/to/ca/cert
ssl_cert=path/to/client/cert
ssl-key=path/to/client/key # “old” format is required

[mysqld]
ssl_ca=path/to/ca/cert
ssl_cert=path/to/server/cert
ssl-key=path/to/server/key


Modify Galera cluster options to point it to self signed (important, Galera replication does not support SSL auth, so signed certificates won’t work) certificates to enable SSL replication. Append to wsrep_provider_options parameter in configuration:
socket.ssl_cert=path/to/galera/cert; socket.ssl_key=path/to/galera/key

Modify sql_connection setting in OpenStack services’ configuration files, append
ssl_ca=path/to/ca&ssl_cert=path/to/client/mysql/cert&ssl_key=path/to/client/mysql/key

to point sqlalchemy to necessary certificates.

2. RabbitMQ
Enable SSL listener and set SSL options in configuration file:

{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"},
                {certfile,"/path/to/server/cert.pem"},
                {keyfile,"/path/to/server/key.pem"},
                {verify,verify_peer},
                {fail_if_no_peer_cert,false}]}
]}


Modify RPC options to use SSL in OS services configuration files:

rabbit_use_ssl=True
kombu_ssl_ca_certs=
kombu_ssl_certfile=
kombu_ssl_keyfile=


Note: Rabbit uses “old” key format.

3. Mongo
SSL is not supported by default, have to build mongo locally or use enterprise packages.
http://www.mongodb.org/about/contributors/tutorial/build-mongodb-from-source/
http://docs.mongodb.org/manual/tutorial/configure-ssl/

4. OS services

4.1 Keystone
http://docs.openstack.org/havana/config-reference/content/ch_configuring-openstack-identity.html#keystone-configuration-file
Edit /etc/keystone/keystone.conf:

[ssl]
enable = True
certfile = keyfile = ca_certs = cert_required = True


Configure [keystone_authtoken] section of all OS services’ configuration files to include CA certificate option:

cafile=


4.2 Nova
http://docs.openstack.org/havana/config-reference/content/list-of-compute-config-options.html
Edit /etc/nova/nova.conf:

[DEFAULT]
enabled_ssl_apis=ec2,osapi_compute,metadata
ssl_cert_file=ssl_key_file=


4.3 Glance
http://docs.openstack.org/havana/config-reference/content/ch_configuring-openstack-image-service.html
Edit /etc/glance/glance.conf:
[DEFAULT]
glance_api_insecure=False
glance_protocol=https
ssl_cert_file=ssl_key_file=


Change glance_api_servers option of relevant OS services to point to HTTPS endpoint (i.e. was 127.0.0.1:9292, should be https://127.0.0.1:9292)

4.4 Cinder
http://docs.openstack.org/icehouse/config-reference/content/section_cinder.conf.html
Edit /etc/cinder/cinder.conf:

[ssl]
ssl_cert_file=ssl_key_file=


4.5 Swift
Swift’s SSL implementation is not recommended for production deployments. Have to use a proxy.
Configure swift-proxy to listen on port 8081. Install nginx and terminate SSL on it. It listens for HTTPS on port 8080 and sends plain HTTP to the local swift-proxy server.
Nginx configuration example:

server {
    listen 192.168.1.2:8080 ssl;

    server_name swift-proxy;

    access_log /var/log/nginx/access_.log;
    error_log /var/log/nginx/error_.log;

    charset utf-8;

    ssl_certificate /etc/ssl/openstack/api_cert.pem;
    ssl_certificate_key /etc/ssl/openstack/api_key.pem;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
       proxy_pass http://192.168.1.2:8081;
       proxy_intercept_errors off;
    }
}


4.6 Ceilometer
http://docs.openstack.org/icehouse/config-reference/content/section_ceilometer.conf.html
Edit /etc/ceilometer/ceilometer.conf:

[ssl]
cert_file=key_file=


To Be Done
5. HAProxy
After reconfiguring OpenStack API services to SSL haproxy needs to be switched to tcp mode since it can not parse encrypted headers.

[ Редактирование Tue Jul 22 2014, 04:06PM ]

Модераторы: root, andrey, AndreikA, faerie.qveene, slavok

<< Предыдущая тема | Следующая тема >>

Перейти:     Наверх