Skip to content

SSL configuration for API, neutron server and openstack keystone in Contrail

Ignatious Johnson edited this page Jan 18, 2017 · 35 revisions


Provisioning keystone, api-server and neutron-server with SSL. This is achieved by configuring keystone with native SSL and api-server/neutron-server through SSL termination using Haproxy.

Section1: Create SSL Certificates

1. Create ssl directories and assign ownership

    # In Keystone Node,
    mkdir -p /etc/keystone/ssl; chown keystone:keystone /etc/keystone/ssl

    # In neutron-server Node,
    mkdir -p /etc/neutron/ssl; chown neutron:neutron /etc/neutron/ssl

    # In api-server Node,
    mkdir -p /etc/contrail/ssl; chown contrail:contrail /etc/contrail/ssl

2. Download the script to create self-signed certs

Download the script from github, if provisionig contrail release less than otherwise the script will be available at /opt/contrail/bin/ when installing contrail-setup package.


3. Create self-signed SSL certs for Keystone, neutron-server and api-server

    # In Keystone Node, <KeystoneNodeIP|VIP> /etc/keystone/ssl/ keystone

    # In neutron-server Node, <NeutronNodeIP|VIP> /etc/neutron/ssl/ neutron

    # In api-server Node, <ConfigNodeIP|VIP> /etc/contrail/ssl/ apiserver

4. Create certificate bundles

Certificates bundles will be used in Haproxy for SSL termination,

    # In neutron-server Node,
    cd /etc/neutron/ssl/; cat certs/neutron_ca.pem private/neutron.key certs/neutron.pem >> certs/neutroncertbundle.pem

    # In api-server Node,
    cd /etc/contrail/ssl/; cat certs/apiserver_ca.pem private/apiserver.key certs/apiserver.pem >> certs/apiservercertbundle.pem

Section2: Copy keystone Certs

keystone certificate and CA needs to be available in neutron-server node and api-server node, so that neutron-server and api-server can talk to keystone securely using keystone certs/CA.

1. Copy keystone certs to neutron-server node

    # From neutron-server node,
    scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone.pem /etc/neutron/ssl/certs/
    scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone_ca.pem /etc/neutron/ssl/certs/
    chown -R neutron:neutron /etc/neutron/ssl/certs/

2. Copy keystone certs to api-server node

    # From api-server node,
    scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone.pem /etc/contrail/ssl/certs/
    scp <user>@<keystoneNodeIp>:/etc/keystone/ssl/certs/keystone_ca.pem /etc/contrail/ssl/certs/
    chown -R contrail:contrail /etc/contrail/ssl/certs/

Section3: Configuring neutron-server with SSL

Configure the haproxy, neutron-server and neutron plugin config files with SSL related parameters.

1. Configure neutron-server frontend

Ensure the neutron-server haproxy config looks like below in /etc/haproxy.cfg

    frontend neutron-server
        bind *:9696 ssl crt /etc/neutron/ssl/certs/neutroncertbundle.pem
        default_backend    neutron-server-backend

    backend neutron-server-backend
        option nolinger
        option forwardfor
        balance     roundrobin
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        server <NeutronHostIp1> <NeutronHostIp1>:9697 check inter 2000 rise 2 fall 3
        server <NeutronHostIp2> <NeutronHostIp2>:9697 check inter 2000 rise 2 fall 3
        server <NeutronHostIp3> <NeutronHostIp3>:9697 check inter 2000 rise 2 fall 3

1. Configure neutron.conf

Add the keystone certificate information in keystone_authtoken section of neutron.conf

    openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_protocol https
    openstack-config --set /etc/neutron/neutron.conf keystone_authtoken certfile /etc/neutron/ssl/certs/keystone.pem
    openstack-config --set /etc/neutron/neutron.conf keystone_authtoken keyfile /etc/neutron/ssl/certs/keystone.pem
    openstack-config --set /etc/neutron/neutron.conf keystone_authtoken cafile /etc/neutron/ssl/certs/keystone_ca.pem

Section4: Configuring api-server with SSL

Add keystone config to neutron.conf, for example:

admin_tenant_name = service
admin_user = neutron
admin_password = neutronservicepassword
auth_host = keystone.hostname.fqdn
admin_token = openstack_identity_bootstrap_token
auth_protocol = https

Create /etc/contrail/contrail-keystone-auth.conf, example:


Add to vnc_api_lib.ini

AUTHN_TYPE = keystone
AUTHN_SERVER = keystone.hostname.fqdn
AUTHN_PORT = 35357
AUTHN_URL = /v2.0/tokens

NOTE: The keystone server uses the hostname, this is important because the keystone certs are generated for the hostname, not IP.

Contrail API and Neutron server SSL termination in HAproxy

Ensure that the contrail-api sections look similar to this:

frontend  contrail-api
    bind *:8082 ssl crt /etc/contrail/ssl/contrailbundle.pem
    default_backend    contrail-api-backend

backend contrail-api-backend
    option nolinger
    option forwardfor
    balance     roundrobin
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server <api host ip> <api host ip>:9100 check inter 2000 rise 2 fall 3

Ensure the neutron section looks like this:

frontend neutron-server
    bind *:9696 ssl crt /etc/neutron/ssl/neutronbundle.pem
    default_backend    neutron-server-backend
backend neutron-server-backend
    option nolinger
    option forwardfor
    balance     roundrobin
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server <neutron host ip> <neutron host ip>:9697 check inter 2000 rise 2 fall 3

Update the neutron endpoint in keystone to use https:

From Keystone server

mysql -ukeystone -pkeystonemysqlpass keystone
select * from service;

take neutron service id

update endpoint set url='https://neutron.server.fqdn:9696' where service_id='<neutron service id>';

Add neutron_ca, cert, and nova ca to the os controller at /etc/nova/ssl/certs/sslsdn.pem, then add to nova.conf

neutron_url=https://<neutron server fqdn>:9696

On the contrail controller change /etc/neutron/plugins/opencontrail/ContrailPlugin.ini to use port 9100 (internal traffic)

api_server_port = 9100

Point local contrail services to port 9100 for contrail-api

Clone this wiki locally