96760528b1
Some reorganization to accomodate up/down variances. Fixed merge conflicts Incorporated patchset 7 review comments Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7356e81526a94c0249526b44ce667f789245f6e2 Signed-off-by: Ron Stone <ronald.stone@windriver.com>
3.4 KiB
Certificate Management for Admin REST API Endpoints
All messaging between SystemControllers and Subclouds in the system uses the admin REST API service endpoints, which are all configured for secure HTTPS.
Cloud Platform supports automated HTTPS certificate renewal for admin endpoints.
Certificates on the SystemController
In a system, the HTTPS certificates for admin endpoints are managed by Cloud Platform internally.
Note
All renewal operations are automatic, and no user operation is required.
For admin endpoints, the SystemControllers in a system manages the following certificates:
DC-AdminEp-Root-CA certificate: This certificate expires in 1825 days (approximately 5 years). Renewal of this certificate starts 30 days prior to expiry.
The Root certificate is renewed on the SystemController. When the certificate is renewed, Cloud Platform renews the intermediate certificates for all subclouds.
DC-AdminEp-Intermediate-CA certificate for 'each' subcloud: This certificate expires in 365 days. Renewal of this certificate starts 30 days prior to expiry. This certificate is used for all subclouds that are unmanaged.
DC-AdminEp-endpoint: This certificate expires in 180 days. Renewal of this certificate starts 30 days prior to expiry.
Certificates on the Subcloud
For admin endpoints, the subcloud controllers manage the following certificates:
DC-AdminEp-Intermediate-CA certificate: The intermediate CA certificate for a subcloud is renewed on the SystemController. It is sent to the subcloud using a Rest API. Therefore, a subcloud needs to be online to receive the renewed certificate.
If the subcloud is offline at the time when the subcloud intermediate certificate is renewed, the subcloud status dc-cert displays "out-of-sync". Certificate renewal continues once the subcloud is online. When renewal completes, the status changes to "in-sync". Subclouds start admin endpoint certificate renewal once subcloud intermediate certificate renewal is complete.
DC-AdminEp certificate for the Subcloud: This certificate expires in 180 days. Renewal of this certificate starts 30 days prior to expiry.
When the admin endpoint certificate is renewed, a new certificate is generated. The new certificate is used to provide termination.
The SystemController audits subcloud AdminEp certificates daily. It also audits subcloud admin endpoints when a subcloud becomes online or managed. If the subcloud admin endpoint is "out-of-sync", the SystemController initiates intermediate certificate renewal, to force subcloud renewal of the admin endpoint certificate.