Red Hat Training

A Red Hat training course is available for Red Hat Gluster Storage

Chapter 5. TLS Encryption Configuration

Red Hat Gluster Storage Web Administration supports Transport Layer Security (TLS) based security model. This model is used for the following purposes:

  • Authentication and encryption of etcd communication between storage nodes and Web Administration server
  • HTTPS encryption between Web Administration server and web browser

5.1. General Prerequisites

You need to have Certificate Authority (CA) to be able to generate and sign certificates. The CA can be either self-signed or a trusted CA. For instructions about generating a CA certificate, see the Creating Your Own Certificates section of the Red Hat AMQ Security Guide.

CA is used to sign certificates for the storage nodes and Web Administration server for TLS-based client server etcd authentication. CA is also used to sign the certificate that is used for the https setup on Web Administration server. However, CA for TLS etcd setup can be different from CA for https setup.

Red Hat Gluster Storage Web Administration or tendrl-ansible neither generates nor deploys certificate files or keys.

5.2. Enabling TLS for etcd

Red Hat Gluster Storage Web Administration supports etcd’s TLS-based security model. This model supports authentication and encryption of traffic between etcd and Web Administration system components.

By default, etcd functions without authentication and encryption but it is recommended to use TLS authentication for client-server encryption.

5.2.1. Prerequisites for TLS Encryption

Before setting up the TLS encryption, ensure that the general prerequisites are met. See Section 5.1, “General Prerequisites”.

  • Generate a private key and a client certificate for each storage node and the Web Administration server. For more information, see the Creating and Managing Encryption Keys section of the Red Hat Enterprise Linux Security Guide. On each Web Administration managed storage node, and on the Web Administration server, place the PEM-encoded private key and the client/CA certificates in a secure place that is only accessible by the Web Administration server’s root user.
  • Configuration of TLS encryption for etcd is automated using tendrl-ansible. Hence, you need to have tendrl-ansible installed and the inventory file created. See Chapter 3, Installing Web Administration chapter.
Note

Configuration of TLS encryption for etcd is performed either during the installation of Web Administration (when tendrl-ansible is run for the first time) or later by rerunning tendrl-ansible.

5.2.2. Configuring TLS Encryption for etcd

After generating and placing the TLS certificate files in the preferred directory, update the value of the Ansible variables in the inventory file with the respective file paths of the certificate files.

Add and modify the following etcd TLS variables in the [all:vars] section of the inventory file.

VariableDescription

etcd_tls_client_auth

Variable used to enable or disable TLS authentication.

etcd_cert_file

Certificate used for SSL/TLS connections to etcd. When this option is turned on, advertise-client-urls can use the HTTPS schema.

etcd_key_file

Key for the certificate that has to be unencrypted.

etcd_trusted_ca_file

Trusted Certificate Authority.

  1. Open the inventory file.
  2. Set the value for etcd_tls_client_auth variable to True. By default, the value of this variable is False.
  3. Edit the file path for the etcd_cert_file variable as required. The default value is /etc/pki/tls/certs/etcd.crt.
  4. Edit the file path for etcd_key_file variable as required. The default value is /etc/pki/tls/private/etcd.key.
  5. Edit the file path for the etcd_trusted_ca_file variable. The default value is /etc/pki/tls/certs/ca-etcd.crt.
  6. Continue the Web Administration installation process by following the Web Administration Installation chapter.

5.3. Enabling HTTPS for Web Administration Components

This section describes how to set up SSL access for Web Aadministration UI, REST API, and Grafana based dashboard.

Overview of Enabling HTTPS

  • Web Administration UI, API and Grafana dashboard, which are provided by the apache server, are secured with SSL by reconfiguration of apache.
  • Access to unencrypted http port is redirected to encrypted https port.
  • Web Administration contains sample configuration files for the apache to simplify the SSL setup.

5.3.1. Prerequisites for Enabling HTTPS

  • mod_ssl package must be installed and the default configuration in /etc/httpd/conf.d/ssl.conf must be left unmodified.
  • SSL key and certificate files need to be deployed on the Web Administration server. See Section 5.1, “General Prerequisites”.
Note

Enabling HTTPS for Web Administration components must be done after the Web Administration installation.

5.3.2. Limitations

  • Access to Grafana dashboard is not authenticated, which means that anyone who has access to Web Administration login page can access and read all panels in the dashboard without any password. They also can learn about the cluster structure, current workload, and historic trends. This is because Web Administration uses anonymous access to Grafana dashboard.
  • Web Administration server listens on a few ports that are not secured but needed for internal communication. For example, Web Administration server receives metrics data from storage machines.
  • Nothing else is secured or restricted compared to the default setup without HTTPS enabled.

5.3.3. Configuring HTTPS for Web Administration Components

On a machine where Web Administration server is installed, perform the following steps.

  1. Create a new 00_tendrl-ssl.conf file using the sample configuration file:

    # cp /etc/httpd/conf.d/00_tendrl-ssl.conf.sample /etc/httpd/conf.d/00_tendrl-ssl.conf
  2. Make the following changes to the /etc/httpd/conf.d/00_tendrl-ssl.conf file:

    • Set ServerName to host name (fqdn) of Web Administration server.
    • Edit the file path for the SSLCertificateFile variable if you want to use your own certificate instead of default self-signed /etc/pki/tls/certs/localhost.crt generated by the mod_ssl package.
    • Edit the file path for the SSLCertificateKeyFile variable if you have changed certificate file in the previous step. The default value is /etc/pki/tls/private/localhost.key.
  3. Make the following changes to the /etc/httpd/conf.d/tendrl.conf file:

    • Uncomment the line which has the Redirect rule and replace %ssl_virtualhost_fqdn% with the fully qualified domain name of Web Administration server.
    • Comment the lines (put a # at the beginning of each line) that have the DocumentRoot, ProxyPass, and ProxyPassReverse directives.
  4. Check if the configuration is valid.

    # apachectl -t
  5. Reload the httpd daemon.

    # systemctl reload httpd.service
  6. Ensure that the https port is open.

    # firewall-cmd --add-service=https
    # firewall-cmd --add-service=https --permanent
Note

Reload the web browser if you have the browser open with the Web Administration UI or Grafana dashboard.