Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

Chapter 5. TLS Encryption Configuration

Red Hat Gluster Storage Web Administration supports Transport Layer Security (TLS) based security model. This model is used for the following purposes:

  • Authentication and encryption of etcd communication between storage nodes and Web Administration server
  • HTTPS encryption between Web Administration server and web browser

5.1. General Prerequisites
リンクのコピー

You need to have Certificate Authority (CA) to be able to generate and sign certificates. The CA can be either self-signed or a trusted CA. For instructions about generating a CA certificate, see the Creating Your Own Certificates section of the Red Hat AMQ Security Guide.

CA is used to sign certificates for the storage nodes and Web Administration server for TLS-based client server etcd authentication. CA is also used to sign the certificate that is used for the https setup on Web Administration server. However, CA for TLS etcd setup can be different from CA for https setup.

Red Hat Gluster Storage Web Administration or tendrl-ansible neither generates nor deploys certificate files or keys.

5.2. Enabling TLS for etcd
リンクのコピー

Red Hat Gluster Storage Web Administration supports etcd’s TLS-based security model. This model supports authentication and encryption of traffic between etcd and Web Administration system components.

By default, etcd functions without authentication and encryption but it is recommended to use TLS authentication for client-server encryption.

5.2.1. Prerequisites for TLS Encryption
リンクのコピー

Before setting up the TLS encryption, ensure that the general prerequisites are met. See Section 5.1, “General Prerequisites”.

  • Generate a private key and a client certificate for each storage node and the Web Administration server. For more information, see the Creating and Managing Encryption Keys section of the Red Hat Enterprise Linux Security Guide. On each Web Administration managed storage node, and on the Web Administration server, place the PEM-encoded private key and the client/CA certificates in a secure place that is only accessible by the Web Administration server’s root user.
  • Configuration of TLS encryption for etcd is automated using tendrl-ansible. Hence, you need to have tendrl-ansible installed and the inventory file created. See Chapter 3, Installing Web Administration chapter.
Note

Configuration of TLS encryption for etcd is performed either during the installation of Web Administration (when tendrl-ansible is run for the first time) or later by rerunning tendrl-ansible.

5.2.2. Configuring TLS Encryption for etcd
リンクのコピー

After generating and placing the TLS certificate files in the preferred directory, update the value of the Ansible variables in the inventory file with the respective file paths of the certificate files.

Add and modify the following etcd TLS variables in the [all:vars] section of the inventory file.

Expand
VariableDescription

etcd_tls_client_auth

Variable used to enable or disable TLS authentication.

etcd_cert_file

Certificate used for SSL/TLS connections to etcd. When this option is turned on, advertise-client-urls can use the HTTPS schema.

etcd_key_file

Key for the certificate that has to be unencrypted.

etcd_trusted_ca_file

Trusted Certificate Authority.

  1. Open the inventory file.
  2. Set the value for etcd_tls_client_auth variable to True. By default, the value of this variable is False.
  3. Edit the file path for the etcd_cert_file variable as required. The default value is /etc/pki/tls/certs/etcd.crt.
  4. Edit the file path for etcd_key_file variable as required. The default value is /etc/pki/tls/private/etcd.key.
  5. Edit the file path for the etcd_trusted_ca_file variable. The default value is /etc/pki/tls/certs/ca-etcd.crt.
  6. Continue the Web Administration installation process by following the Web Administration Installation chapter.

5.3. Enabling HTTPS for Web Administration Components
リンクのコピー

This section describes how to set up SSL access for Web Aadministration UI, REST API, and Grafana based dashboard.

Overview of Enabling HTTPS

  • Web Administration UI, API and Grafana dashboard, which are provided by the apache server, are secured with SSL by reconfiguration of apache.
  • Access to unencrypted http port is redirected to encrypted https port.
  • Web Administration contains sample configuration files for the apache to simplify the SSL setup.

5.3.1. Prerequisites for Enabling HTTPS
リンクのコピー

  • mod_ssl package must be installed and the default configuration in /etc/httpd/conf.d/ssl.conf must be left unmodified.
  • SSL key and certificate files need to be deployed on the Web Administration server. See Section 5.1, “General Prerequisites”.
Note

Enabling HTTPS for Web Administration components must be done after the Web Administration installation.

5.3.2. Limitations
リンクのコピー

  • Access to Grafana dashboard is not authenticated, which means that anyone who has access to Web Administration login page can access and read all panels in the dashboard without any password. They also can learn about the cluster structure, current workload, and historic trends. This is because Web Administration uses anonymous access to Grafana dashboard.
  • Web Administration server listens on a few ports that are not secured but needed for internal communication. For example, Web Administration server receives metrics data from storage machines.
  • Nothing else is secured or restricted compared to the default setup without HTTPS enabled.

5.3.3. Configuring HTTPS for Web Administration Components
リンクのコピー

On a machine where Web Administration server is installed, perform the following steps.

  1. Create a new 00_tendrl-ssl.conf file using the sample configuration file: 

    # cp /etc/httpd/conf.d/00_tendrl-ssl.conf.sample /etc/httpd/conf.d/00_tendrl-ssl.conf
    Copy to Clipboard Toggle word wrap

  2. Make the following changes to the /etc/httpd/conf.d/00_tendrl-ssl.conf file:

    • Set ServerName to host name (fqdn) of Web Administration server.
    • Edit the file path for the SSLCertificateFile variable if you want to use your own certificate instead of default self-signed /etc/pki/tls/certs/localhost.crt generated by the mod_ssl package.
    • Edit the file path for the SSLCertificateKeyFile variable if you have changed certificate file in the previous step. The default value is /etc/pki/tls/private/localhost.key.

  3. Make the following changes to the /etc/httpd/conf.d/tendrl.conf file:

    • Uncomment the line which has the Redirect rule and replace %ssl_virtualhost_fqdn% with the fully qualified domain name of Web Administration server.
    • Comment the lines (put a # at the beginning of each line) that have the DocumentRoot, ProxyPass, and ProxyPassReverse directives.

  4. Check if the configuration is valid. 

    # apachectl -t
    Copy to Clipboard Toggle word wrap

  5. Reload the httpd daemon. 

    # systemctl reload httpd.service
    Copy to Clipboard Toggle word wrap

  6. Ensure that the https port is open. 

    # firewall-cmd --add-service=https
# firewall-cmd --add-service=https --permanent
    Copy to Clipboard Toggle word wrap
Note

Reload the web browser if you have the browser open with the Web Administration UI or Grafana dashboard.

Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2026 Red Hatトップに戻る