Remove section Install/Update the StarlingX Rest and Web Server Certificate (dsR10,dsR10minor,r10)
Remove deprecated content. Change-Id: I493bc5e059b88406e7fd4f67a285c032e9bf2244 Signed-off-by: Elisamara Aoki Gonçalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Gonçalves
@@ -240,7 +240,6 @@
|
||||
.. |openstack-login-protection| replace:: :ref:`Login Protection <openstack-login-protection>`
|
||||
.. |index-security-84d0d8aa401b| replace:: :ref:`Security <index-security-84d0d8aa401b>`
|
||||
.. |pod-security-admission-controller-8e9e6994100f| replace:: :ref:`Pod Security Admission Controller <pod-security-admission-controller-8e9e6994100f>`
|
||||
.. |install-update-the-starlingx-rest-and-web-server-certificate| replace:: :ref:`Install/Update the StarlingX Rest and Web Server Certificate <install-update-the-starlingx-rest-and-web-server-certificate>`
|
||||
.. .. |pod-security-policies| replace:: :ref:`Pod Security Policies <pod-security-policies>`
|
||||
.. |remove-portieris| replace:: :ref:`Remove Portieris <remove-portieris>`
|
||||
.. |delete-ldap-linux-accounts-7de0782fbafd| replace:: :ref:`Delete LDAP Linux Accounts <delete-ldap-linux-accounts-7de0782fbafd>`
|
||||
|
||||
@@ -388,7 +388,6 @@ Deprecated Functionality
|
||||
|
||||
starlingx-rest-api-applications-and-the-web-administration-server-deprecated
|
||||
enable-https-access-for-starlingx-rest-and-web-server-endpoints
|
||||
install-update-the-starlingx-rest-and-web-server-certificate
|
||||
|
||||
|
||||
***************************************
|
||||
|
||||
@@ -1,78 +0,0 @@
|
||||
|
||||
.. law1570030645265
|
||||
.. _install-update-the-starlingx-rest-and-web-server-certificate:
|
||||
|
||||
============================================================
|
||||
Install/Update the StarlingX Rest and Web Server Certificate
|
||||
============================================================
|
||||
|
||||
Use the following procedure to install or update the certificate for the |prod|
|
||||
REST API application endpoints (Keystone, Barbican and |prod|) and the
|
||||
|prod| web administration server.
|
||||
|
||||
.. rubric:: |prereq|
|
||||
|
||||
Obtain an intermediate or Root |CA|-signed server certificate and key from a
|
||||
trusted Intermediate or Root |CA|. Refer to the documentation for the external
|
||||
Intermediate or Root |CA| that you are using, on how to create public
|
||||
certificate and private key pairs, signed by intermediate or a Root |CA|, for
|
||||
HTTPS.
|
||||
|
||||
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
||||
<create-certificates-locally-using-openssl>` for how to create a test
|
||||
Intermediate or Root |CA| certificate and key, and use it to sign test
|
||||
server certificates.
|
||||
|
||||
Put the |PEM| encoded versions of the server certificate and key in a single
|
||||
file, and copy the file to the controller host.
|
||||
|
||||
.. note::
|
||||
|
||||
If you plan to use the container-based remote CLIs, due to a limitation in
|
||||
the Python2 SSL certificate validation, the certificate used for the |prod|
|
||||
REST API application endpoints and |prod| Web Administration Server ('ssl')
|
||||
certificate must either have:
|
||||
|
||||
#. CN=IPADDRESS and SANs=IPADDRESS
|
||||
|
||||
or
|
||||
|
||||
#. CN=FQDN and SANs=FQDN
|
||||
|
||||
where IPADDRESS and FQDN are for the OAM Floating IP Address.
|
||||
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
- Install/update the copied certificate.
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)]$ system certificate-install -m ssl <pathTocertificateAndKey>
|
||||
|
||||
where:
|
||||
|
||||
**<pathTocertificateAndKey>**
|
||||
|
||||
is the path to the file containing both the intermediate or Root
|
||||
|CA|-signed server certificate and private key to install.
|
||||
|
||||
.. warning::
|
||||
|
||||
The REST and Web Server certificate are not automatically renewed, user
|
||||
MUST renew the certificate prior to expiry, otherwise a variety of system
|
||||
operations will fail.
|
||||
|
||||
.. note::
|
||||
|
||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||
strength.
|
||||
|
||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||
and looking for the "Public-Key" in the output. For more information see
|
||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||
|
||||
@@ -38,10 +38,6 @@ trusted |CA| list.
|
||||
<create-certificates-locally-using-openssl>` on how to generate server
|
||||
certificates from the Root |CA| certificate.
|
||||
|
||||
Pay attention to the notes about the certificate’s |SAN| on section
|
||||
:ref:`Install/Update the StarlingX Rest and Web Server Certificate
|
||||
<install-update-the-starlingx-rest-and-web-server-certificate>`.
|
||||
|
||||
Optionally, set the subject fields uniquely for systemController and each of
|
||||
the subclouds.
|
||||
|
||||
|
||||
@@ -44,6 +44,4 @@ hosts.
|
||||
|
||||
For more details, refer to:
|
||||
|
||||
- :ref:`enable-https-access-for-starlingx-rest-and-web-server-endpoints`
|
||||
|
||||
- :ref:`install-update-the-starlingx-rest-and-web-server-certificate`
|
||||
:ref:`enable-https-access-for-starlingx-rest-and-web-server-endpoints`
|
||||
|
||||
Reference in New Issue
Block a user