Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 12. TLS-e for DCN
You can enable TLS (transport layer security) on clouds designed for distributed compute node infrastructure. You have the option of either enabling TLS for public access only, or enabling TLS on every network with TLS-e, which allows for encryption on all internal and external dataflows.
You cannot enable public access on edge stacks as edge sites do not have public endpoints. For more information on TLS for public access, see Enabling SSL/TLS on Overcloud Public Endpoints.
12.1. Deploying distributed compute node architecture with TLS-e
When you configure TLS-e on Red Hat OpenStack Platform (RHOSP) distributed compute node architecture with Red Hat Identity Manager (IdM), take the following actions based on the version of Red Hat Enterprise Linux deployed for Red Hat Identity Manager.
Due to differences in design between the central and edge locations, do not include the following files in edge stacks:
- tls-everywhere-endpoints-dns.yaml
- This file is ignored at edge sites, the endpoints that it sets are overridden by the endpoints exported from the central stack.
- haproxy-public-tls-certmonger.yaml
- This file causes a failed deployment as there are no public endpoints at the edge.
Procedure
- If you are running Red Hat Enterprise Linux (RHEL) 8.2, you must upgrade RHEL to version 8.4, and then follow the directions for RHEL 8.4
If you are running RHEL 8.4, modify the
ipa-ext.confandipa-options-ext.conffiles:Add trusted subnets to the access control list (ACL) in the
ipa-ext.conffile:acl "trusted_network" { localnets; localhost; 192.168.24.0/24; 192.168.25.0/24; };Allow recursion and query cache in the
/etc/named/ipa-options-ext.conffile:allow-recursion { trusted_network; }; allow-query-cache { trusted_network; };Restart the `named-pkcs11 service:
systemctl restart named-pkcs11
If you are running a version of RHEL 7, you must add an access control instruction for your domain manually.
Run the following commands on Red Hat Identity Manager to configure the ACI.
ADMIN_PASSWORD=<redhat_01> DOMAIN_LEVEL_1=<local> DOMAIN_LEVEL_2=<redhat> cat << EOF | ldapmodify -x -D "cn=Directory Manager" -w ${ADMIN_PASSWORD} dn: cn=dns,dc=${DOMAIN_LEVEL_2},dc=${DOMAIN_LEVEL_1} changetype: modify add: aci aci: (targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=)(arecord=)(cnamerecord=)(ptrrecord=)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=${DOMAIN_LEVEL_2},dc=${DOMAIN_LEVEL_1}";) EOF
-
Replace
<redhat_01>with the administrative password that you want to set. -
Replace
<local>with the top-level domain. -
Replace
<redhat>with the second-level domain.
Additional resources
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}