openstack-ansible/doc/source/install-guide/configure-sslcertificates.rst
Major Hayden 1b864a57fe Merge SSL documentation
Closes-Bug: 1497361

Change-Id: I6afc62f57eec8c6687244df7bf84a9d4936536dd
2015-09-23 09:29:18 -05:00

5.0 KiB

Home OpenStack Ansible Installation Guide

Securing services with SSL certificates

Providing secure communication between various services in an OpenStack deployment is highly recommended in the OpenStack Security Guide.

The openstack-ansible project currently offers the ability to configure SSL certificates for secure communication with the following services:

  • HAProxy
  • Horizon
  • Keystone
  • RabbitMQ

For each service, deployers have the option to use self-signed certificates generated during the deployment process or they can provide SSL certificates, keys and CA certificates from their own trusted certificate authority. Highly secured environments should use trusted, user-provided, certificates for as many services as possible.

All SSL certificate configuration should be done within /etc/openstack_deploy/user_variables.yml and not within the playbook roles themselves.

Self-signed certificates

Self-signed certificates make it easy to get started quickly and they ensure data is encrypted in transit, but they don't provide a high level of trust for highly secure environments. The use of self-signed certificates is currently the default in openstack-ansible.

Setting self-signed certificate subject data

The subject data of any self-signed certificate can be changed using configuration variables. The configuration variable for each service is <servicename>_ssl_self_signed_subject. To change the SSL certificate subject data for HAProxy, simply make this adjustment in /etc/openstack_deploy/user_variables.yml:

haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN=haproxy.example.com"

For more information about the available fields in the certificate subject, refer to OpenSSL's documentation on the req subcommand.

Generating and regenerating self-signed certificates

Self-signed certificates for each service are generated during the first run of the playbook. Subsequent runs of the playbook will not generate new SSL certificates unless the user sets <servicename>_ssl_self_signed_regen to true.

To force a self-signed certificate to regenerate you can pass the variable to openstack-ansible on the command line:

openstack-ansible -e "horizon_ssl_self_signed_regen=true" os-horizon-install.yml

To force a self-signed certificate to regenerate with every playbook run, simply set the appropriate regeneration option to true. For example, if you've already run the os-horizon playbook, but you want to regenerate the self-signed certificate, set the horizon_ssl_self_signed_regen variable to true in /etc/openstack_deploy/user_variables.yml:

horizon_ssl_self_signed_regen: true

Note that regenerating self-signed certificates will replace the existing certificates whether they are self-signed or user-provided.

User-provided certificates

Deployers can provide their own SSL certificates, keys, and CA certificates for added trust in highly secure environments. Acquiring certificates from a trusted certificate authority is outside the scope of this document, but The Linux Documentation Project has a section called Certificate Management that explains to create your own certificate authority and sign certificates.

Deploying user-provided SSL certificates is a three step process:

  1. Copy your SSL certificate, key, and CA certificate to the deployment host
  2. Specify the path to your SSL certificate, key and CA certificate in /etc/openstack_deploy/user_variables.yml
  3. Run the playbook for that service

As an example, if you wanted to deploy user-provided certificates for RabbitMQ, start by copying those certificates to the deployment host. Then, edit /etc/openstack_deploy/user_variables.yml and set the following three variables:

rabbitmq_user_ssl_cert:    /tmp/example.com.crt
rabbitmq_user_ssl_key:     /tmp/example.com.key
rabbitmq_user_ssl_ca_cert: /tmp/ExampleCA.crt

Simply run the playbook to apply the certificates:

openstack-ansible rabbitmq-install.yml

The playbook will deploy your user-provided SSL certificate, key, and CA certificate to each RabbitMQ container.

The process is identical with other services as well. Simply replace rabbitmq in the configuration variables shown above with horizon, haproxy, or keystone, to deploy user-provided certificates to those services.