Merge "Added prereq for Install REST API/Horizon Certificate. (r5, r6)"

doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst

@@ -8,35 +8,65 @@ Install REST API and Horizon Certificate
 
 .. rubric:: |context|
 
-This certificate must be valid for the domain configured for OpenStack, see the
+For secure communications, HTTPS should be enabled for OpenStack REST API and
-sections on :ref:`Accessing the System <access-using-the-default-set-up>`.
+Horizon endpoints by configuring a certificate for these endpoints.
 
 .. rubric:: |prereq|
 
-Obtain an Intermediate or Root CA-signed certificate and key from a trusted
+-   Obtain an Intermediate or Root |CA|-signed certificate and key from a trusted
-Intermediate or Root CA. The OpenStack certificate should be created with a
+    Intermediate or Root |CA|. The OpenStack certificate should be created with a
-wildcard SAN, for example:
+    wildcard SAN.
 
-.. code-block:: none
+    For example:
 
-    X509v3 extensions:
+    .. code-block:: none
-    X509v3 Subject Alternative Name:
-    DNS:*.west2.us.example.com
 
+        X509v3 extensions:
+        X509v3 Subject Alternative Name:
+        DNS:*.west2.us.example.com
+
+    -   To install an openstack certificate, the domain has to be added to the
+        service-parameter openstack as prerequisite, for details see
+        :ref:`Update the Domain Name <update-the-domain-name>`.
+
+        .. code-block:: none
+
+            ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com
+
+            +-------------+--------------------------------------+
+            | Property    | Value                                |
+            +-------------+--------------------------------------+
+            | uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
+            | service     | openstack                            |
+            | section     | Helm                                 |
+            | name        | endpoint_domain                      |
+            | value       | west2.us.example.com                 |
+            | personality | None                                 |
+            | resource    | None                                 |
+            +-------------+--------------------------------------+
+
+            ~(keystone_admin)$ system service-parameter-apply openstack
+            Applying openstack service parameters
+
+-   HTTPS must be enabled for |prod|, see :ref:`Configure REST API Applications
+    and Web Administration Server Certificate
+    <configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f>`.
 
 .. rubric:: |proc|
 
 #.  Put the |PEM| encoded versions of the OpenStack certificate and key in a
-    single file (e.g. **openstack-cert-key.pem**), and put the certificate of
+    single file (e.g. ``openstack-cert-key.pem``), and put the certificate of
-    the Root CA in a separate file (e.g. **openstack-ca-cert.pem**), and copy
+    the Root |CA| in a separate file (e.g. ``openstack-ca-cert.pem``), then
-    the files to the controller host.
+    copy the files to the controller host.
 
 #.  Install the certificate as the OpenStack REST API / Horizon Certificate.
 
+    This will automatically update the required openstack Helm charts.
+
     .. code-block:: none
 
-        ~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem
+        ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
-        ~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem
+        ~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
         ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem
 
 #.  Apply the Helm chart overrides containing the certificate changes.
@@ -45,3 +75,5 @@ wildcard SAN, for example:
 
         ~(keystone_admin)$ system application-apply |prefix|-openstack
 
+#.  Ensure port 443 is open in |prod| firewall. For details see :ref:`Modify
+    Firewall Options <security-firewall-options>`.