diff --git a/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst b/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst index 325ab9355..bf882158f 100644 --- a/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst +++ b/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst @@ -8,35 +8,65 @@ Install REST API and Horizon Certificate .. rubric:: |context| -This certificate must be valid for the domain configured for OpenStack, see the -sections on :ref:`Accessing the System `. +For secure communications, HTTPS should be enabled for OpenStack REST API and +Horizon endpoints by configuring a certificate for these endpoints. .. rubric:: |prereq| -Obtain an Intermediate or Root CA-signed certificate and key from a trusted -Intermediate or Root CA. The OpenStack certificate should be created with a -wildcard SAN, for example: +- Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted + Intermediate or Root |CA|. The OpenStack certificate should be created with a + wildcard SAN. -.. code-block:: none + For example: - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:*.west2.us.example.com + .. code-block:: none + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:*.west2.us.example.com + + - To install an openstack certificate, the domain has to be added to the + service-parameter openstack as prerequisite, for details see + :ref:`Update the Domain Name `. + + .. code-block:: none + + ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com + + +-------------+--------------------------------------+ + | Property | Value | + +-------------+--------------------------------------+ + | uuid | 0459ede4-85e7-4767-aca9-d29e84f38bd4 | + | service | openstack | + | section | Helm | + | name | endpoint_domain | + | value | west2.us.example.com | + | personality | None | + | resource | None | + +-------------+--------------------------------------+ + + ~(keystone_admin)$ system service-parameter-apply openstack + Applying openstack service parameters + +- HTTPS must be enabled for |prod|, see :ref:`Configure REST API Applications + and Web Administration Server Certificate + `. .. rubric:: |proc| #. Put the |PEM| encoded versions of the OpenStack certificate and key in a - single file (e.g. **openstack-cert-key.pem**), and put the certificate of - the Root CA in a separate file (e.g. **openstack-ca-cert.pem**), and copy - the files to the controller host. + single file (e.g. ``openstack-cert-key.pem``), and put the certificate of + the Root |CA| in a separate file (e.g. ``openstack-ca-cert.pem``), then + copy the files to the controller host. #. Install the certificate as the OpenStack REST API / Horizon Certificate. + This will automatically update the required openstack Helm charts. + .. code-block:: none - ~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem - ~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem + ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem + ~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem #. Apply the Helm chart overrides containing the certificate changes. @@ -45,3 +75,5 @@ wildcard SAN, for example: ~(keystone_admin)$ system application-apply |prefix|-openstack +#. Ensure port 443 is open in |prod| firewall. For details see :ref:`Modify + Firewall Options `.