Added prereq for Install REST API/Horizon Certificate. (r5, r6)

Moved the " HTTPS must be enabled for..." prereq to the last item in the list. Added blank line above Install the certificate. Minor formatting updates. Added more one prereq and procedure. Updated domain name. Updated <domain name> and minor formatting updates. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f
2022-03-28 20:35:52 -03:00 · 2022-03-28 20:35:52 -03:00 · 88cae73927
commit 88cae73927
parent 6ca2809596
1 changed files with 46 additions and 14 deletions
--- a/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
+++ b/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
@ -8,35 +8,65 @@ Install REST API and Horizon Certificate

 .. rubric:: |context|

-This certificate must be valid for the domain configured for OpenStack, see the
-sections on :ref:`Accessing the System <access-using-the-default-set-up>`.
+For secure communications, HTTPS should be enabled for OpenStack REST API and
+Horizon endpoints by configuring a certificate for these endpoints.

 .. rubric:: |prereq|

-Obtain an Intermediate or Root CA-signed certificate and key from a trusted
-Intermediate or Root CA. The OpenStack certificate should be created with a
-wildcard SAN, for example:
+-   Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted
+    Intermediate or Root |CA|. The OpenStack certificate should be created with a
+    wildcard SAN.

-.. code-block:: none
+    For example:

-    X509v3 extensions:
-    X509v3 Subject Alternative Name:
-    DNS:*.west2.us.example.com
+    .. code-block:: none

+        X509v3 extensions:
+        X509v3 Subject Alternative Name:
+        DNS:*.west2.us.example.com
+
+    -   To install an openstack certificate, the domain has to be added to the
+        service-parameter openstack as prerequisite, for details see
+        :ref:`Update the Domain Name <update-the-domain-name>`.
+
+        .. code-block:: none
+
+            ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com
+
+            +-------------+--------------------------------------+
+            | Property    | Value                                |
+            +-------------+--------------------------------------+
+            | uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
+            | service     | openstack                            |
+            | section     | Helm                                 |
+            | name        | endpoint_domain                      |
+            | value       | west2.us.example.com                 |
+            | personality | None                                 |
+            | resource    | None                                 |
+            +-------------+--------------------------------------+
+
+            ~(keystone_admin)$ system service-parameter-apply openstack
+            Applying openstack service parameters
+
+-   HTTPS must be enabled for |prod|, see :ref:`Configure REST API Applications
+    and Web Administration Server Certificate
+    <configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f>`.

 .. rubric:: |proc|

 #.  Put the |PEM| encoded versions of the OpenStack certificate and key in a
-    single file (e.g. **openstack-cert-key.pem**), and put the certificate of
-    the Root CA in a separate file (e.g. **openstack-ca-cert.pem**), and copy
-    the files to the controller host.
+    single file (e.g. ``openstack-cert-key.pem``), and put the certificate of
+    the Root |CA| in a separate file (e.g. ``openstack-ca-cert.pem``), then
+    copy the files to the controller host.

 #.  Install the certificate as the OpenStack REST API / Horizon Certificate.

+    This will automatically update the required openstack Helm charts.
+
    .. code-block:: none

-        ~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem
-        ~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem
+        ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
+        ~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
        ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem

 #.  Apply the Helm chart overrides containing the certificate changes.
@ -45,3 +75,5 @@ wildcard SAN, for example:

        ~(keystone_admin)$ system application-apply |prefix|-openstack

+#.  Ensure port 443 is open in |prod| firewall. For details see :ref:`Modify
+    Firewall Options <security-firewall-options>`.