deb-murano/doc/source/admin/deploy_murano/configure_ssl.rst
zhurong 9cb54690e9 Adapt murano documentation for new standards
This patch set makes the following changes:
 * using the new standards
 * Update doc/source/index.rst with new links
 * Move content of install-guide to the doc/source/install

Change-Id: Ic16671191832d949d2ea0626dcbf334ba60c56ef
2017-07-11 11:38:08 +08:00

3.5 KiB

Configure SSL

Murano components can work with SSL. This section provides information on how to set SSL properly.

Configure SSL for Murano API

To configure SSL for the Murano API service, modify the [ssl] section in /etc/murano/murano.conf:

[ssl]
cert_file = <PATH>
key_file = <PATH>
ca_file = <PATH>
Parameter Description
cert_file A path to the certificate file the server should use when binding to an SSL-wrapped socket.
key_file A path to the private key file the server should use when binding to an SSL-wrapped socket.
ca_file A path to the CA certificate file the server should use to validate client certificates provided during an SSL handshake. This parameter is ignored if the cert_file and key_file parameters are not set.

Murano API starts using SSL automatically after you point to the HTTPS protocol instead of HTTP during the registration of the Murano API service in endpoints, modifying the publicurl argument to start with https://.

SSL for Murano API is implemented the same way as in any other OpenStack component. See ssl python module for details.

Configure SSL for RabbitMQ

All murano components communicate with each other using RabbitMQ. By default, all messages in RabbitMQ are not encrypted. You can encrypt this interaction with SSL. Configure each RabbitMQ exchange separately.

Murano API <-> RabbitMQ <-> Murano engine

Modify the [default] section in the /etc/murano/murano.conf file:

  1. Enable SSL for RabbitMQ:

    # connect over SSL for RabbitMQ (boolean value)
    rabbit_use_ssl = true
  2. Set the kombu parameters.

    Specify the paths to the SSL key file and SSL CA certificate in a regular </PATH/TO/FILE> format without quotes or leave them empty to enable self-signed certificates:

    # SSL version to use (valid only if SSL enabled). valid values
    # are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
    # distributions (string value)
    kombu_ssl_version =
    
    # SSL key file (valid only if SSL enabled) (string value)
    kombu_ssl_keyfile =
    
    # SSL cert file (valid only if SSL enabled) (string value)
    kombu_ssl_certfile =
    
    # SSL certification authority file (valid only if SSL enabled)
    # (string value)
    kombu_ssl_ca_certs =

Murano agent -> RabbitMQ

To encrypt the communication between the murano agent and RabbitMQ, set ssl = True in the [rabbitmq] section of /etc/murano/murano.conf:

[rabbitmq]
...
ssl = True
insecure = False

If you want to configure the murano agent differently, you need to change the default template located in the murano core library. After you finish with the template modification, verify that you zip and re-upload the murano core library.

Configure SSL for the Dashboard

If you do not plan to use self-signed certificates, no additional configurations are required. Just point your web browser to the URL starting with https://.

Otherwise, set the MURANO_API_INSECURE parameter to True in /etc/openstack-dashboard/local_settings.py.