starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
Elaine Fonaro 88cae73927 Added prereq for Install REST API/Horizon Certificate. (r5, r6) 
Moved the " HTTPS must be enabled for..." prereq to the last item in the list.

Added blank line above Install the certificate.

Minor formatting updates.

Added more one prereq and procedure. Updated domain name.

Updated <domain name> and minor formatting updates.

Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
Change-Id: Ia19529e01e268c57d9ac0b8be86aac449cfc9a8f
2022-04-13 20:23:17 +00:00

3.1 KiB
Raw Blame History

Install REST API and Horizon Certificate

For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.

  • Obtain an Intermediate or Root -signed certificate and key from a trusted Intermediate or Root . The OpenStack certificate should be created with a wildcard SAN.

    For example:

    X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com

    • To install an openstack certificate, the domain has to be added to the service-parameter openstack as prerequisite, for details see Update the Domain Name <update-the-domain-name>.

      ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com

+-------------+--------------------------------------+
| Property    | Value                                |
+-------------+--------------------------------------+
| uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
| service     | openstack                            |
| section     | Helm                                 |
| name        | endpoint_domain                      |
| value       | west2.us.example.com                 |
| personality | None                                 |
| resource    | None                                 |
+-------------+--------------------------------------+

~(keystone_admin)$ system service-parameter-apply openstack
Applying openstack service parameters

  • HTTPS must be enabled for , see Configure REST API Applications and Web Administration Server Certificate <configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f>.

  1. Put the encoded versions of the OpenStack certificate and key in a single file (e.g. openstack-cert-key.pem), and put the certificate of the Root in a separate file (e.g. openstack-ca-cert.pem), then copy the files to the controller host.

  2. Install the certificate as the OpenStack REST API / Horizon Certificate.

    This will automatically update the required openstack Helm charts.

    ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem

  3. Apply the Helm chart overrides containing the certificate changes.

    ~(keystone_admin)$ system application-apply -openstack

  4. Ensure port 443 is open in firewall. For details see Modify Firewall Options <security-firewall-options>.