Chapter 14. Enabling SSL/TLS on overcloud public endpoints
By default, the overcloud uses unencrypted endpoints for the overcloud services. To enable SSL/TLS in your overcloud, Red Hat recommends that you use a certificate authority (CA) solution.
When you use a certificate authority (CA) solution, you have production ready solutions such as a certificate renewals, certificate revocation lists (CRLs), and industry accepted cryptography. For information on using Red Hat Identity Manager (IdM) as a CA, see Implementing TLS-e with Ansible.
You can use the following manual process to enable SSL/TLS for Public API endpoints only, the Internal and Admin APIs remain unencrypted. You must also manually update SSL/TLS certificates if you do not use a CA. For more information, see Manually updating SSL/TLS certificates.
Prerequisites
- Network isolation to define the endpoints for the Public API.
-
The
openssl-perl
package is installed. - You have an SSL/TLS certificate. For more information see Configuring custom SSL/TLS certificates.
14.1. Initializing the signing host
The signing host is the host that generates and signs new certificates with a certificate authority. If you have never created SSL certificates on the chosen signing host, you might need to initialize the host so that it can sign new certificates.
Procedure
The
/etc/pki/CA/index.txt
file contains records of all signed certificates. Ensure that the filesystem path andindex.txt
file are present:$ sudo mkdir -p /etc/pki/CA $ sudo touch /etc/pki/CA/index.txt
The
/etc/pki/CA/serial
file identifies the next serial number to use for the next certificate to sign. Check if this file exists. If the file does not exist, create a new file with a new starting value:$ echo '1000' | sudo tee /etc/pki/CA/serial
14.2. Creating a certificate authority
Normally you sign your SSL/TLS certificates with an external certificate authority. In some situations, you might want to use your own certificate authority. For example, you might want to have an internal-only certificate authority.
Procedure
Generate a key and certificate pair to act as the certificate authority:
$ openssl genrsa -out ca.key.pem 4096 $ openssl req -key ca.key.pem -new -x509 -days 7300 -extensions v3_ca -out ca.crt.pem
-
The
openssl req
command requests certain details about your authority. Enter these details at the prompt. These commands create a certificate authority file calledca.crt.pem
. Set the certificate location as the value for the
PublicTLSCAFile
parameter in theenable-tls.yaml
file. When you set the certificate location as the value for thePublicTLSCAFile
parameter, you ensure that the CA certificate path is added to theclouds.yaml
authentication file.parameter_defaults: PublicTLSCAFile: /etc/pki/ca-trust/source/anchors/cacert.pem
14.3. Adding the certificate authority to clients
For any external clients aiming to communicate using SSL/TLS, copy the certificate authority file to each client that requires access to your Red Hat OpenStack Platform environment.
Procedure
Copy the certificate authority to the client system:
$ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/
After you copy the certificate authority file to each client, run the following command on each client to add the certificate to the certificate authority trust bundle:
$ sudo update-ca-trust extract
14.4. Creating an SSL/TLS key
Enabling SSL/TLS on an OpenStack environment requires an SSL/TLS key to generate your certificates.
Procedure
Run the following command to generate the SSL/TLS key (
server.key.pem
):$ openssl genrsa -out server.key.pem 2048
14.5. Creating an SSL/TLS certificate signing request
Complete the following steps to create a certificate signing request.
Procedure
Copy the default OpenSSL configuration file:
$ cp /etc/pki/tls/openssl.cnf .
Edit the new
openssl.cnf
file and configure the SSL parameters that you want to use for director. An example of the types of parameters to modify include:[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = AU stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Queensland localityName = Locality Name (eg, city) localityName_default = Brisbane organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Red Hat commonName = Common Name commonName_default = 192.168.0.1 commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.0.1 DNS.1 = instack.localdomain DNS.2 = vip.localdomain DNS.3 = 192.168.0.1
Set the
commonName_default
to one of the following entries:-
If you are using an IP address to access director over SSL/TLS, use the
undercloud_public_host
parameter in theundercloud.conf
file. - If you are using a fully qualified domain name to access director over SSL/TLS, use the domain name.
Edit the
alt_names
section to include the following entries:-
IP
- A list of IP addresses that clients use to access director over SSL. -
DNS
- A list of domain names that clients use to access director over SSL. Also include the Public API IP address as a DNS entry at the end of thealt_names
section.
NoteFor more information about
openssl.cnf
, run theman openssl.cnf
command.-
If you are using an IP address to access director over SSL/TLS, use the
Run the following command to generate a certificate signing request (
server.csr.pem
):$ openssl req -config openssl.cnf -key server.key.pem -new -out server.csr.pem
Ensure that you include your OpenStack SSL/TLS key with the
-key
option.
This command generates a server.csr.pem
file, which is the certificate signing request. Use this file to create your OpenStack SSL/TLS certificate.
14.6. Creating the SSL/TLS certificate
To generate the SSL/TLS certificate for your OpenStack environment, the following files must be present:
openssl.cnf
- The customized configuration file that specifies the v3 extensions.
server.csr.pem
- The certificate signing request to generate and sign the certificate with a certificate authority.
ca.crt.pem
- The certificate authority, which signs the certificate.
ca.key.pem
- The certificate authority private key.
Procedure
Create the
newcerts
directory if it does not already exist:sudo mkdir -p /etc/pki/CA/newcerts
Run the following command to create a certificate for your undercloud or overcloud:
$ sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem -keyfile ca.key.pem
This command uses the following options:
-config
-
Use a custom configuration file, which is the
openssl.cnf
file with v3 extensions. -extensions v3_req
- Enabled v3 extensions.
-days
- Defines how long in days until the certificate expires.
-in
'- The certificate signing request.
-out
- The resulting signed certificate.
-cert
- The certificate authority file.
-keyfile
- The certificate authority private key.
This command creates a new certificate named server.crt.pem
. Use this certificate in conjunction with your OpenStack SSL/TLS key
14.7. Enabling SSL/TLS
To enable SSL/TLS in your overcloud, you must create an environment file that contains parameters for your SSL/TLS certiciates and private key.
Procedure
Copy the
enable-tls.yaml
environment file from the heat template collection:$ cp -r /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml ~/templates/.
Edit this file and make the following changes for these parameters:
- SSLCertificate
Copy the contents of the certificate file (
server.crt.pem
) into theSSLCertificate
parameter:parameter_defaults: SSLCertificate: | -----BEGIN CERTIFICATE----- MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGS ... sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQ -----END CERTIFICATE-----
ImportantThe certificate contents require the same indentation level for all new lines.
- SSLIntermediateCertificate
If you have an intermediate certificate, copy the contents of the intermediate certificate into the
SSLIntermediateCertificate
parameter:parameter_defaults: SSLIntermediateCertificate: | -----BEGIN CERTIFICATE----- sFW3S2roS4X0Af/kSSD8mlBBTFTCMBAj6rtLBKLaQbIxEpIzrgvpBCwUAMFgxCzAJB ... MIIDgzCCAmugAwIBAgIJAKk46qw6ncJaMA0GCSqGSIb3DQE -----END CERTIFICATE-----
ImportantThe certificate contents require the same indentation level for all new lines.
- SSLKey
Copy the contents of the private key (
server.key.pem
) into theSSLKey
parameter:parameter_defaults: ... SSLKey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAqVw8lnQ9RbeI1EdLN5PJP0lVO ... ctlKn3rAAdyumi4JDjESAXHIKFjJNOLrBmpQyES4X -----END RSA PRIVATE KEY-----
ImportantThe private key contents require the same indentation level for all new lines.
14.8. Injecting a root certificate
If the certificate signer is not in the default trust store on the overcloud image, you must inject the certificate authority into the overcloud image.
Procedure
Copy the
inject-trust-anchor-hiera.yaml
environment file from the heat template collection:$ cp -r /usr/share/openstack-tripleo-heat-templates/environments/ssl/inject-trust-anchor-hiera.yaml ~/templates/.
Edit this file and make the following changes for these parameters:
- CAMap
Lists each certificate authority content (CA) to inject into the overcloud. The overcloud requires the CA files used to sign the certificates for both the undercloud and the overcloud. Copy the contents of the root certificate authority file (
ca.crt.pem
) into an entry. For example, yourCAMap
parameter might look like the following:parameter_defaults: CAMap: ... undercloud-ca: content: | -----BEGIN CERTIFICATE----- MIIDlTCCAn2gAwIBAgIJAOnPtx2hHEhrMA0GCS BAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBw UmVkIEhhdDELMAkGA1UECwwCUUUxFDASBgNVBA -----END CERTIFICATE----- overcloud-ca: content: | -----BEGIN CERTIFICATE----- MIIDBzCCAe+gAwIBAgIJAIc75A7FD++DMA0GCS BAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xOTAxMz Um54yGCARyp3LpkxvyfMXX1DokpS1uKi7s6CkF -----END CERTIFICATE-----
ImportantThe certificate authority contents require the same indentation level for all new lines.
You can also inject additional CAs with the CAMap
parameter.
14.9. Configuring DNS endpoints
If you use a DNS hostname to access the overcloud through SSL/TLS, copy the /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml
file into the /home/stack/templates
directory.
It is not possible to redeploy with a TLS-everywhere architecture if this environment file is not included in the initial deployment.
Configure the host and domain names for all fields, adding parameters for custom networks if needed:
- CloudDomain
- the DNS domain for hosts.
- CloudName
- The DNS hostname of the overcloud endpoints.
- CloudNameCtlplane
- The DNS name of the provisioning network endpoint.
- CloudNameInternal
- The DNS name of the Internal API endpoint.
- CloudNameStorage
- The DNS name of the storage endpoint.
- CloudNameStorageManagement
- The DNS name of the storage management endpoint.
- DnsServers
-
A list of DNS servers that you want to use. The configured DNS servers must contain an entry for the configured
CloudName
that matches the IP address of the Public API.
Procedure
Add a list of DNS servers to use under parameter defaults, in either a new or existing environment file:
parameter_defaults: DnsServers: ["10.0.0.254"] ....
TipYou can use the
CloudName{network.name}
definition to set the DNS name for an API endpoint on a composable network that uses a virtual IP.For more information, see Adding a composable network.
14.10. Adding environment files during overcloud creation
Use the -e
option with the deployment command openstack overcloud deploy
to include environment files in the deployment process. Add the environment files from this section in the following order:
-
The environment file to enable SSL/TLS (
enable-tls.yaml
) -
The environment file to set the DNS hostname (
custom-domain.yaml
) -
The environment file to inject the root certificate authority (
inject-trust-anchor-hiera.yaml
) The environment file to set the public endpoint mapping:
-
If you use a DNS name for accessing the public endpoints, use
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
-
If you use a IP address for accessing the public endpoints, use
/usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml
-
If you use a DNS name for accessing the public endpoints, use
Procedure
- Use the following deployment command snippet as an example of how to include your SSL/TLS environment files:
$ openstack overcloud deploy --templates \ [...] -e /home/stack/templates/enable-tls.yaml \ -e ~/templates/custom-domain.yaml \ -e ~/templates/inject-trust-anchor-hiera.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml
14.11. Manually Updating SSL/TLS Certificates
Complete the following steps if you are using your own SSL/TLS certificates that are not auto-generated from the TLS everywhere (TLS-e) process.
Procedure
Edit your heat templates with the following content:
-
Edit the
enable-tls.yaml
file and update theSSLCertificate
,SSLKey
, andSSLIntermediateCertificate
parameters. -
If your certificate authority has changed, edit the
inject-trust-anchor-hiera.yaml
file and update theCAMap
parameter.
-
Edit the
Rerun the deployment command:
$ openstack overcloud deploy --templates \ [...] -e /home/stack/templates/enable-tls.yaml \ -e ~/templates/custom-domain.yaml \ -e ~/templates/inject-trust-anchor-hiera.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-dns.yaml