f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
111 lines
4.0 KiB
ReStructuredText
111 lines
4.0 KiB
ReStructuredText
.. _dc-admin-endpoint-certificates-8fe7adf3f932:
|
|
|
|
=============================================
|
|
Distributed Cloud Admin Endpoint Certificates
|
|
=============================================
|
|
|
|
|DC| admin endpoint certificates are used to secure communication between
|
|
System Controller and subclouds by HTTPs.
|
|
|
|
These certificates are generated, stored and auto renewed internally by the
|
|
system.
|
|
|
|
---------------------------------------------------
|
|
Certificate management for admin REST API endpoints
|
|
---------------------------------------------------
|
|
|
|
All messaging between System Controllers and subclouds in the |prod-dc|
|
|
system uses the admin REST API service endpoints, which are all configured for
|
|
secure HTTPS.
|
|
|
|
|prod| supports automated HTTPS certificate renewal for |prod-dc| admin
|
|
endpoints.
|
|
|
|
.. contents:: |minitoc|
|
|
:local:
|
|
:depth: 1
|
|
|
|
.. certificate-management-for-admin-rest--api-endpoints-section-lkn-ypk-xnb:
|
|
|
|
-------------------------------------
|
|
Certificates on the System Controller
|
|
-------------------------------------
|
|
|
|
In a |prod-dc| system, the HTTPS certificates for admin endpoints are
|
|
managed by |prod| internally.
|
|
|
|
.. note::
|
|
|
|
All renewal operations are automatic, and no user operation is required.
|
|
|
|
For admin endpoints, the System Controllers in a |prod-dc| system manages the
|
|
following certificates:
|
|
|
|
|
|
.. certificate-management-for-admin-rest--api-endpoints-ul-zdc-pmk-xnb:
|
|
|
|
- **DC-AdminEp-Root-CA certificate**: This certificate expires in 1825 days
|
|
(approximately 5 years). Renewal of this certificate starts 30 days prior
|
|
to expiry.
|
|
|
|
The Root |CA| certificate is renewed on the System Controller. When the
|
|
certificate is renewed, |prod| renews the Intermediate |CA|
|
|
certificates for all subclouds.
|
|
|
|
- **DC-AdminEp-Intermediate-CA certificate for 'each' subcloud**: This
|
|
certificate expires in 365 days. Renewal of this certificate starts 30 days
|
|
prior to expiry. This certificate is used for all subclouds that are
|
|
unmanaged.
|
|
|
|
- **DC-AdminEp-endpoint**: This certificate expires in 180 days. Renewal of
|
|
this certificate starts 30 days prior to expiry.
|
|
|
|
|
|
|
|
.. certificate-management-for-admin-rest--api-endpoints-section-qdd-xpk-xnb:
|
|
|
|
----------------------------
|
|
Certificates on the subcloud
|
|
----------------------------
|
|
|
|
For admin endpoints, the subcloud controllers manage the following
|
|
certificates:
|
|
|
|
|
|
.. certificate-management-for-admin-rest--api-endpoints-ul-x51-3qk-xnb:
|
|
|
|
- **DC-AdminEp-Intermediate-CA certificate**: The Intermediate |CA|
|
|
certificate for a subcloud is renewed on the System Controller. It is sent
|
|
to the subcloud using a Rest API. Therefore, a subcloud needs to be online
|
|
to receive the renewed certificate.
|
|
|
|
.. warning::
|
|
|
|
If the subcloud is offline for an extended period of time and the
|
|
Intermediate |CA| certificate expires while the subcloud is offline,
|
|
the renewal will not occur automatically and manual recovery will be
|
|
required.
|
|
|
|
For manual recovery, please contact |org| support.
|
|
|
|
If the subcloud is offline at the time when the subcloud Intermediate |CA|
|
|
certificate is renewed, the subcloud status **dc-cert** displays
|
|
"out-of-sync". Certificate renewal continues once the subcloud is online.
|
|
When renewal completes, the status changes to "in-sync". Subclouds start
|
|
admin endpoint certificate renewal once subcloud Intermediate |CA|
|
|
certificate renewal is complete.
|
|
|
|
- **DC-AdminEp certificate for the Subcloud**: This certificate expires in
|
|
180 days. Renewal of this certificate starts 30 days prior to expiry.
|
|
|
|
When the admin endpoint certificate is renewed, a new |TLS| certificate is
|
|
generated. The new |TLS| certificate is used to provide |TLS| termination.
|
|
|
|
|
|
The System Controller audits subcloud AdminEp certificates daily. It also
|
|
audits subcloud admin endpoints when a subcloud becomes online or managed. If
|
|
the subcloud admin endpoint is "out-of-sync", the System Controller initiates
|
|
Intermediate |CA| certificate renewal, to force subcloud renewal of the admin
|
|
endpoint certificate.
|
|
|