docs/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst


.. pmb1590001656644
.. _install-rest-api-and-horizon-certificate:

========================================
Install REST API and Horizon Certificate
========================================

.. rubric:: |context|

For secure communications, HTTPS should be enabled for OpenStack REST API and
Horizon endpoints by configuring a certificate for these endpoints.

.. rubric:: |prereq|

-   Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted
    Intermediate or Root |CA|. The OpenStack certificate should be created with a
    wildcard SAN.

    For example:

    .. code-block:: none

        X509v3 extensions:
        X509v3 Subject Alternative Name:
        DNS:*.west2.us.example.com

    -   To install an openstack certificate, the domain has to be added to the
        service-parameter openstack as prerequisite, for details see
        :ref:`Update the Domain Name <update-the-domain-name>`.

        .. code-block:: none

            ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com

            +-------------+--------------------------------------+
            | Property    | Value                                |
            +-------------+--------------------------------------+
            | uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
            | service     | openstack                            |
            | section     | Helm                                 |
            | name        | endpoint_domain                      |
            | value       | west2.us.example.com                 |
            | personality | None                                 |
            | resource    | None                                 |
            +-------------+--------------------------------------+

            ~(keystone_admin)$ system service-parameter-apply openstack
            Applying openstack service parameters

-   HTTPS must be enabled for |prod|, see :ref:`Configure REST API Applications
    and Web Administration Server Certificate
    <configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f>`.

.. rubric:: |proc|

#.  Put the |PEM| encoded versions of the OpenStack certificate and key in a
    single file (e.g. ``openstack-cert-key.pem``), and put the certificate of
    the Root |CA| in a separate file (e.g. ``openstack-ca-cert.pem``), then
    copy the files to the controller host.

#.  Install the certificate as the OpenStack REST API / Horizon Certificate.

    This will automatically update the required openstack Helm charts.

    .. code-block:: none

        ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
        ~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
        ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem

#.  Apply the Helm chart overrides containing the certificate changes.

    .. parsed-literal::

        ~(keystone_admin)$ system application-apply |prefix|-openstack

#.  Ensure port 443 is open in |prod| firewall. For details see :ref:`Modify
    Firewall Options <security-firewall-options>`.
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
			`.. pmb1590001656644`
			`.. _install-rest-api-and-horizon-certificate:`

			`========================================`
			`Install REST API and Horizon Certificate`
			`========================================`

			`.. rubric:: \|context\|`

Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			`For secure communications, HTTPS should be enabled for OpenStack REST API and`
			`Horizon endpoints by configuring a certificate for these endpoints.`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Install conditionalizations OVS related deployment conditionalizations. Patchset 1 review updates. Updates based on additional inputs. Patchset 3 review updates. Fixed some unexpanded substitutions and formatting issues throughout. Patchset 5 updates. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Ib86bf0e13236a40f7a472d4448a9b2d3cc165deb Signed-off-by: Ron Stone <ronald.stone@windriver.com> Reorg OpenStack installion for DS consumption This review replaces https://review.opendev.org/c/starlingx/docs/+/801130 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iab9c8d56cff9c1bc57e7e09fb3ceef7cf626edad Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-07-16 15:37:55 -04:00			`.. rubric:: \|prereq\|`

Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			`- Obtain an Intermediate or Root \|CA\|-signed certificate and key from a trusted`
			`Intermediate or Root \|CA\|. The OpenStack certificate should be created with a`
			`wildcard SAN.`
Install conditionalizations OVS related deployment conditionalizations. Patchset 1 review updates. Updates based on additional inputs. Patchset 3 review updates. Fixed some unexpanded substitutions and formatting issues throughout. Patchset 5 updates. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Ib86bf0e13236a40f7a472d4448a9b2d3cc165deb Signed-off-by: Ron Stone <ronald.stone@windriver.com> Reorg OpenStack installion for DS consumption This review replaces https://review.opendev.org/c/starlingx/docs/+/801130 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iab9c8d56cff9c1bc57e7e09fb3ceef7cf626edad Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-07-16 15:37:55 -04:00
Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			`For example:`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			`.. code-block:: none`

			`X509v3 extensions:`
			`X509v3 Subject Alternative Name:`
			`DNS:*.west2.us.example.com`

			`- To install an openstack certificate, the domain has to be added to the`
			`service-parameter openstack as prerequisite, for details see`
			:ref:`Update the Domain Name <update-the-domain-name>`.

			`.. code-block:: none`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			`~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com`

			`+-------------+--------------------------------------+`
			`\| Property \| Value \|`
			`+-------------+--------------------------------------+`
			`\| uuid \| 0459ede4-85e7-4767-aca9-d29e84f38bd4 \|`
			`\| service \| openstack \|`
			`\| section \| Helm \|`
			`\| name \| endpoint_domain \|`
			`\| value \| west2.us.example.com \|`
			`\| personality \| None \|`
			`\| resource \| None \|`
			`+-------------+--------------------------------------+`

			`~(keystone_admin)$ system service-parameter-apply openstack`
			`Applying openstack service parameters`

			- HTTPS must be enabled for \|prod\|, see :ref:`Configure REST API Applications
			`and Web Administration Server Certificate`
			<configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f>`.
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`.. rubric:: \|proc\|`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`#. Put the \|PEM\| encoded versions of the OpenStack certificate and key in a`
Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			single file (e.g. ``openstack-cert-key.pem``), and put the certificate of
			the Root \|CA\| in a separate file (e.g. ``openstack-ca-cert.pem``), then
			`copy the files to the controller host.`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`#. Install the certificate as the OpenStack REST API / Horizon Certificate.`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			`This will automatically update the required openstack Helm charts.`

Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`.. code-block:: none`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			`~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem`
			`~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem`
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
			`#. Apply the Helm chart overrides containing the certificate changes.`

Remove mention to wr-openstack Change “wr-openstack” instances to “\|prefix\|-openstack”. PS2: Use \|prefix\| substitution instead of "stx" PS3, 4, 5, 6, 7: Fix table alignment PS8: Replace table with text for \|prefix\| usage Closes-Bug: 1948045 Change-Id: I41f804dd83d480e99a9c8ebfc252def3de0215ea Signed-off-by: MCamp859 <maryx.camp@intel.com> 2021-10-26 11:25:46 -04:00			`.. parsed-literal::`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Remove mention to wr-openstack Change “wr-openstack” instances to “\|prefix\|-openstack”. PS2: Use \|prefix\| substitution instead of "stx" PS3, 4, 5, 6, 7: Fix table alignment PS8: Replace table with text for \|prefix\| usage Closes-Bug: 1948045 Change-Id: I41f804dd83d480e99a9c8ebfc252def3de0215ea Signed-off-by: MCamp859 <maryx.camp@intel.com> 2021-10-26 11:25:46 -04:00			`~(keystone_admin)$ system application-apply \|prefix\|-openstack`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Added prereq for Install REST API/Horizon Certificate. (r5, r6) Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f 2022-03-28 20:35:52 -03:00			#. Ensure port 443 is open in \|prod\| firewall. For details see :ref:`Modify
			Firewall Options <security-firewall-options>`.