Change-Id: I4522fe318541dac7f4ff4e45d72d4cd8869420ba
5.1 KiB
Home OpenStack-Ansible Installation Guide
Securing services with SSL certificates
The OpenStack Security Guide recommends providing secure communication between various services in an OpenStack deployment.
The OpenStack-Ansible project currently offers the ability to configure SSL certificates for secure communication with the following services:
- HAProxy
- Horizon
- Keystone
- RabbitMQ
For each service, you have the option to use self-signed certificates generated during the deployment process or provide SSL certificates, keys, and CA certificates from your own trusted certificate authority. Highly secured environments use trusted, user-provided, certificates for as many services as possible.
Note
Conduct all SSL certificate configuration in
/etc/openstack_deploy/user_variables.yml
and not in the
playbook roles themselves.
Self-signed certificates
Self-signed certificates ensure you are able to start quickly and you
are able to encrypt data in transit. However, they do not provide a high
level of trust for highly secure environments. The use of self-signed
certificates is currently the default in OpenStack-Ansible. When
self-signed certificates are being used, certificate verification must
be disabled using the following user variables depending on your
configuration. Add these variables in
/etc/openstack_deploy/user_variables.yml
.
keystone_service_adminuri_insecure: true
keystone_service_internaluri_insecure: true
Setting self-signed certificate subject data
Change the subject data of any self-signed certificate using
configuration variables. The configuration variable for each service is
<servicename>_ssl_self_signed_subject
. To change the
SSL certificate subject data for HAProxy, adjust
/etc/openstack_deploy/user_variables.yml
:
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN=haproxy.example.com"
For more information about the available fields in the certificate subject, refer to OpenSSL's documentation on the req subcommand.
Generating and regenerating self-signed certificates
Generate self-signed certificates for each service during the first run of the playbook.
Note
Subsequent runs of the playbook do not generate new SSL certificates
unless you set <servicename>_ssl_self_signed_regen
to
true
.
To force a self-signed certificate to regenerate, you can pass the
variable to openstack-ansible
on the command line:
# openstack-ansible -e "horizon_ssl_self_signed_regen=true" os-horizon-install.yml
To force a self-signed certificate to regenerate with every playbook
run, set the appropriate regeneration option to true
. For
example, if you have already run the os-horizon
playbook,
but you want to regenerate the self-signed certificate, set the
horizon_ssl_self_signed_regen
variable to true
in /etc/openstack_deploy/user_variables.yml
:
horizon_ssl_self_signed_regen: true
Note
Regenerating self-signed certificates replaces the existing certificates whether they are self-signed or user-provided.
User-provided certificates
You can provide your own SSL certificates, keys, and CA certificates for added trust in highly secure environments. Acquiring certificates from a trusted certificate authority is outside the scope of this document, but the Certificate Management section of the Linux Documentation Project explains how to create your own certificate authority and sign certificates.
Deploying user-provided SSL certificates is a three step process:
- Copy your SSL certificate, key, and CA certificate to the deployment host.
- Specify the path to your SSL certificate, key, and CA certificate in
/etc/openstack_deploy/user_variables.yml
. - Run the playbook for that service.
For example, to deploy user-provided certificates for RabbitMQ, copy
the certificates to the deployment host, edit
/etc/openstack_deploy/user_variables.yml
and set the
following three variables:
rabbitmq_user_ssl_cert: /tmp/example.com.crt
rabbitmq_user_ssl_key: /tmp/example.com.key
rabbitmq_user_ssl_ca_cert: /tmp/ExampleCA.crt
Run the playbook to apply the certificates:
# openstack-ansible rabbitmq-install.yml
The playbook deploys your user-provided SSL certificate, key, and CA certificate to each RabbitMQ container.
The process is identical to the other services. Replace
rabbitmq
in the configuration variables shown above with
horizon
, haproxy
, or keystone
to
deploy user-provided certificates to those services.