Updating Case Studies - Alice's API Endpoints Section

+ Apache, TLS, HAProxy + Load-balancing details w/SSL offloading + Removing redundant 'and' Change-Id: I89bb71e4e8cd0037e4c565c2d0431681c9cbb145 Partial-Bug: #1349540
2015-05-28 12:59:41 -07:00
parent f5d68ef269
commit 712c151492
1 changed files with 20 additions and 14 deletions
--- a/security-guide/section_case-studies-api-endpoints.xml
+++ b/security-guide/section_case-studies-api-endpoints.xml
@@ -11,22 +11,28 @@
      <title>Alice's private cloud</title>
      <para>
        Alice's organization requires that the security architecture
-        protect the access to the public and private endpoints, so she
-        elects to use the Apache TLS proxy on both public and internal
-        services. Alice's organization has implemented its own
-        certificate authority. Alice contacts the PKI office in her
-        agency that manages her PKI and certificate issuance. Alice
-        obtains certificates issued by this CA and configures the
-        services within both the public and management security
-        domains to use these certificates. Since Alice's OpenStack
-        deployment exists entirely on a network disconnected from the
-        Internet, she makes sure to remove all default CA bundles that
-        contain external public CA providers to ensure the OpenStack
-        services only accept client certificates issued by her
-        agency's CA. Alice has registered all of the services in the
+        protect the access to the private endpoints, so she elects to
+        use Apache with TLS enabled and HAProxy for load balancing in
+        front of the web service. As Alice's organization has
+        implemented its own certificate authority, she configures the
+        services within both the guest and management security domains
+        to use these certificates. Since Alice's OpenStack deployment
+        exists entirely on a network disconnected from the Internet, she
+        makes sure to remove all default CA bundles that contain
+        external public CA providers to ensure the OpenStack services
+        only accept client certificates issued by her agency's CA. As
+        she is using HAProxy, Alice configures SSL offloading on her
+        load balancer, and a virtual server IP (VIP) on the load
+        balancer with the http to https redirection policy to her API
+        endpoint systems.
+      </para>
+      <para>Alice has registered all of the services in the
        Identity service's catalog, using the internal URLs for access
        by internal services. She has installed host-based intrusion
-        detection on all of the API endpoints.
+        detection (HIDS) to monitor the security events on the
+        endpoints. On the hosts, Alice also ensures that the API
+        services are confined to a network namespace while confirming
+        that there is a robust SELinux profile applied to the services.
      </para>
    </section>
    <section xml:id="case-studies-api-endpoints-bob-public-cloud">