Add SSL configuration section

Change-Id: I763e2e7f1aabae84a0542e1fdcc640c0eb99c295
This commit is contained in:
Ekaterina Fedorova
2013-07-29 20:48:12 +04:00
parent 306ec988c7
commit c1fd231a05

View File

@@ -527,4 +527,143 @@ service murano-api start
</programlisting>
</section>
</section>
<section id="ssl">
<title>SSL configuration</title>
<section>
<title>HTTPS for Murano API</title>
<para>
SSL for Murano API service
can be enabled in <emphasis>ssl</emphasis> section in
<emphasis>/etc/murano-api.conf</emphasis>. The use of SSL is
automatically implemented by using a URL starting with HTTPS instead of HTTP.
SSL configuration example using the included sample certificates:
</para>
<programlisting>
<![CDATA[
[ssl]
enable = True
certfile = <path to keystone.pem>
keyfile = <path to keystone.pem>
ca_certs = <path to ca.pem>
cert_required = True
]]>
</programlisting>
<itemizedlist>
<listitem>
<para>
<emphasis>enable:</emphasis> True enables SSL. Defaults to False.
</para>
</listitem>
<listitem>
<para>
<emphasis>certfile:</emphasis> Path to Keystone public certificate file.
</para>
</listitem>
<listitem>
<para>
<emphasis>keyfile:</emphasis> Path to Keystone private certificate file.
If the private key is included in the certfile, the keyfile maybe omitted.
</para>
</listitem>
<listitem>
<para>
<emphasis>ca_certs:</emphasis> Path to CA trust chain.
</para>
</listitem>
<listitem>
<para>
<emphasis>cert_required:</emphasis>
Requires client certificate. Defaults to False.
</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>SSL for RabbitMQ</title>
<para>
All Murano components communicate with each other
by RabbitMQ. This interaction can be encrypted with SSL. By
default all messages in Rabbit MQ are not encrypted.
Each RabbitMQ Exchange should be configured separately.
</para>
<section>
<title>Murano API -> Rabbit MQ exchange</title>
<para>
Edit <emphasis>rabbitmq</emphasis> section in <emphasis>/etc/murano-api.conf</emphasis>
and set ssl option to True to enable SSL. Specify the path to the
SSL CA certificate in regular format: /path/to/file without quotes or leave it empty to allow
self-signed certificates.
</para>
<programlisting>
<![CDATA[
[rabbitmq]
# Use SSL for RabbitMQ connections (True or False)
ssl = True
# Path to SSL CA certificate or empty to allow self signed server certificate
ca_certs =
]]>
</programlisting>
</section>
<section>
<title>Rabbit MQ -> Murano Conductor exchange</title>
<para>
Open <emphasis>/etc/murano-conductor/conductor.conf</emphasis>
and configure <emphasis>rabbitmq</emphasis> section in the same way:
Enable ssl option to True and set CA certificate path or leave it empty to allow
self-signed certificates.
</para>
<programlisting>
<![CDATA[
[rabbitmq]
# Use SSL for RabbitMQ connections (True or False)
ssl = True
# Path to SSL CA certificate or empty to allow self signed server certificate
ca_certs = /home/user/certificates/example.crt
]]>
</programlisting>
</section>
<section>
<title>Murano Agent -> Rabbit MQ exchange</title>
<para>
By default all Murano Conductor configuration settings apply to Murano Agent.
If you want to configure Murano Agent in a different way change the default template. It can be found
here:<emphasis>/murano-conductor/data/templates/agent-config/Default.template.</emphasis>
Take a look at appSettings section:
</para>
<programlisting>
<![CDATA[
<appSettings>
<add key="rabbitmq.host" value="%RABBITMQ_HOST%"/>
<add key="rabbitmq.port" value="%RABBITMQ_PORT%"/>
<add key="rabbitmq.user" value="%RABBITMQ_USER%"/>
<add key="rabbitmq.password"
value="%RABBITMQ_PASSWORD%"/>
<add key="rabbitmq.vhost" value="%RABBITMQ_VHOST%"/>
<add key="rabbitmq.inputQueue"
value="%RABBITMQ_INPUT_QUEUE%"/>
<add key="rabbitmq.resultExchange" value=""/>
<add key="rabbitmq.resultRoutingKey"
value="%RESULT_QUEUE%"/>
<add key="rabbitmq.durableMessages" value="true"/>
<add key="rabbitmq.ssl" value="%RABBITMQ_SSL%"/>
<add key="rabbitmq.allowInvalidCA" value="true"/>
<add key="rabbitmq.sslServerName" value=""/>
</appSettings>
]]>
</programlisting>
<para>
Desired parameter should be set directly to the value of the key
that you want to change. Quotes are need to be kept.
Thus you can change "rabbitmq.ssl" and "rabbitmq.port" values to
make Rabbit MQ work with this exchange in a different from
Murano-Conductor way.
</para>
</section>
</section>
</section>
</chapter>