Security settings

[ English | Indonesia | English (United Kingdom) | русский | Deutsch | 한국어 (대한민국) ]

Security settings

This chapter contains information to configure specific security settings for your OpenStack-Ansible cloud.

For understanding security design, please see Security.

[ English | Indonesia | English (United Kingdom) | русский | Deutsch | 한국어 (대한민국) ]

Securing services with SSL certificates

The OpenStack Security Guide recommends providing secure communication between various services in an OpenStack deployment. The OpenStack-Ansible project currently offers the ability to configure SSL certificates for secure communication between services:

All public endpoints reside behind haproxy, resulting in the only certificate management most environments need are those for haproxy.

When deploying with OpenStack-Ansible, you can either use self-signed certificates that are generated during the deployment process or provide SSL certificates, keys, and CA certificates from your own trusted certificate authority. Highly secured environments use trusted, user-provided certificates for as many services as possible.

Note

Perform all SSL certificate configuration in /etc/openstack_deploy/user_variables.yml file. Do not edit the playbooks or roles themselves.

Self-signed certificates

Self-signed certificates enable you to start quickly and encrypt data in transit. However, they do not provide a high level of trust for highly secure environments. By default, self-signed certificates are used in OpenStack-Ansible. When self-signed certificates are used, certificate verification is automatically disabled.

Setting subject data for self-signed certificates

Change the subject data of any self-signed certificate by using configuration variables. The configuration variable for each service is formatted as <servicename>_ssl_self_signed_subject. For example, to change the SSL certificate subject data for HAProxy, adjust the /etc/openstack_deploy/user_variables.yml file as follows:

haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN=haproxy.example.com"

For more information about the available fields in the certificate subject, see the OpenSSL documentation for the req subcommand.

Generating and regenerating self-signed certificates

Self-signed certificates are generated for each service during the first run of the playbook.

To generate a new self-signed certificate for a service, you must set the <servicename>_ssl_self_signed_regen variable to true in one of the following ways:

  • To force a self-signed certificate to regenerate, you can pass the variable to openstack-ansible on the command line:

    # openstack-ansible -e "horizon_ssl_self_signed_regen=true" os-horizon-install.yml
    
  • To force a self-signed certificate to regenerate with every playbook run, set the appropriate regeneration option to true. For example, if you have already run the haproxy playbook, but you want to regenerate the self-signed certificate, set the haproxy_ssl_self_signed_regen variable to true in the /etc/openstack_deploy/user_variables.yml file:

    haproxy_ssl_self_signed_regen: true
    

Note

Regenerating self-signed certificates replaces the existing certificates whether they are self-signed or user-provided.

User-provided certificates

For added trust in highly secure environments, you can provide your own SSL certificates, keys, and CA certificates. Acquiring certificates from a trusted certificate authority is outside the scope of this document, but the Certificate Management section of the Linux Documentation Project explains how to create your own certificate authority and sign certificates.

Use the following process to deploy user-provided SSL certificates in OpenStack-Ansible:

  1. Copy your SSL certificate, key, and CA certificate files to the deployment host.

  2. Specify the path to your SSL certificate, key, and CA certificate in the /etc/openstack_deploy/user_variables.yml file.

  3. Run the playbook for that service.

HAProxy example

The variables to set which provide the path on the deployment node to the certificates for HAProxy configuration are:

haproxy_user_ssl_cert: /etc/openstack_deploy/ssl/example.com.crt
haproxy_user_ssl_key: /etc/openstack_deploy/ssl/example.com.key
haproxy_user_ssl_ca_cert: /etc/openstack_deploy/ssl/ExampleCA.crt

RabbitMQ example

To deploy user-provided certificates for RabbitMQ, copy the certificates to the deployment host, edit the /etc/openstack_deploy/user_variables.yml file and set the following three variables:

rabbitmq_user_ssl_cert:    /etc/openstack_deploy/ssl/example.com.crt
rabbitmq_user_ssl_key:     /etc/openstack_deploy/ssl/example.com.key
rabbitmq_user_ssl_ca_cert: /etc/openstack_deploy/ssl/ExampleCA.crt

Then, run the playbook to apply the certificates:

# openstack-ansible rabbitmq-install.yml

The playbook deploys your user-provided SSL certificate, key, and CA certificate to each RabbitMQ container.

The process is identical for the other services. Replace rabbitmq in the preceding configuration variables with horizon, haproxy, or keystone, and then run the playbook for that service to deploy user-provided certificates to those services.

[ English | Indonesia | English (United Kingdom) | русский | Deutsch | 한국어 (대한민국) ]

Apply ansible-hardening

The ansible-hardening role is applicable to physical hosts within an OpenStack-Ansible deployment that are operating as any type of node, infrastructure or compute. By default, the role is enabled. You can disable it by changing the value of the apply_security_hardening variable in the user_variables.yml file to false:

apply_security_hardening: false

You can apply security hardening configurations to an existing environment or audit an environment by using a playbook supplied with OpenStack-Ansible:

# Apply security hardening configurations
  openstack-ansible security-hardening.yml

# Perform a quick audit by using Ansible's check mode
  openstack-ansible --check security-hardening.yml

For more information about the security configurations, see the security hardening role documentation.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.