openstack/deb-murano
Code Issues Proposed changes
42b4bdca7f
deb-murano/doc/source/draft/admin-guide/deploy_murano/configure_ssl.rst
Maria Zlatkova 603b1c0d4a [Docs] Moves network configuration to admin-guide 
Changes:

- Restructures and moves Network configuration to the appropriate
  section of the Admin Guide.
- Removes Murano Installation Guide from the Miscellaneous section as
  it has already been rewritten and moved to the Admin Guide
  (see sections: Deploying Murano and Prepare a lab for Murano)
- No changes in the Policy configuration section.

Change-Id: I7d396375a312648ad2f05350b87079601b7c0878
Partial-Bug: #1603950
2016-08-17 09:39:44 +00:00

3.5 KiB
Raw Blame History

Configure SSL

Murano components can work with SSL. This section provides information on how to set SSL properly.

Configure SSL for Murano API

To configure SSL for the Murano API service, modify the [ssl] section in /etc/murano/murano.conf:

[ssl]
cert_file = <PATH>
key_file = <PATH>
ca_file = <PATH>
Parameter Description
cert_file A path to the certificate file the server should use when binding to an SSL-wrapped socket.
key_file A path to the private key file the server should use when binding to an SSL-wrapped socket.
ca_file A path to the CA certificate file the server should use to validate client certificates provided during an SSL handshake. This parameter is ignored if the cert_file and key_file parameters are not set.

Murano API starts using SSL automatically after you point to the HTTPS protocol instead of HTTP during the registration of the Murano API service in endpoints, modifying the publicurl argument to start with https://.

SSL for Murano API is implemented the same way as in any other OpenStack component. See ssl python module for details.

Configure SSL for RabbitMQ

All murano components communicate with each other using RabbitMQ. By default, all messages in RabbitMQ are not encrypted. You can encrypt this interaction with SSL. Configure each RabbitMQ exchange separately.

Murano API <-> RabbitMQ <-> Murano engine

Modify the [default] section in the /etc/murano/murano.conf file:

  1. Enable SSL for RabbitMQ:

    # connect over SSL for RabbitMQ (boolean value)
rabbit_use_ssl = true

  2. Set the kombu parameters.

    Specify the paths to the SSL key file and SSL CA certificate in a regular </PATH/TO/FILE> format without quotes or leave them empty to enable self-signed certificates:

    # SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions (string value)
kombu_ssl_version =

# SSL key file (valid only if SSL enabled) (string value)
kombu_ssl_keyfile =

# SSL cert file (valid only if SSL enabled) (string value)
kombu_ssl_certfile =

# SSL certification authority file (valid only if SSL enabled)
# (string value)
kombu_ssl_ca_certs =

Murano agent -> RabbitMQ

To encrypt the communication between the murano agent and RabbitMQ, set ssl = True in the [rabbitmq] section of /etc/murano/murano.conf:

[rabbitmq]
...
ssl = True
insecure = False

If you want to configure the murano agent differently, you need to change the default template located in the murano core library. After you finish with the template modification, verify that you zip and re-upload the murano core library.

Configure SSL for the Dashboard

If you do not plan to use self-signed certificates, no additional configurations are required. Just point your web browser to the URL starting with https://.

Otherwise, set the MURANO_API_INSECURE parameter to True in /etc/openstack-dashboard/local_settings.py.