Chapter 5. TLS Encryption Configuration
Red Hat Gluster Storage Web Administration supports Transport Layer Security (TLS) based security model. This model is used for the following purposes:
-
Authentication and encryption of
etcd
communication between storage nodes and Web Administration server - HTTPS encryption between Web Administration server and web browser
5.1. General Prerequisites
You need to have Certificate Authority (CA) to be able to generate and sign certificates. The CA can be either self-signed or a trusted CA. For instructions about generating a CA certificate, see the Creating Your Own Certificates section of the Red Hat AMQ Security Guide.
CA is used to sign certificates for the storage nodes and Web Administration server for TLS-based client server etcd
authentication. CA is also used to sign the certificate that is used for the https
setup on Web Administration server. However, CA for TLS etcd
setup can be different from CA for https
setup.
Red Hat Gluster Storage Web Administration or tendrl-ansible neither generates nor deploys certificate files or keys.
5.2. Enabling TLS for etcd
Red Hat Gluster Storage Web Administration supports etcd’s
TLS-based security model. This model supports authentication and encryption of traffic between etcd
and Web Administration system components.
By default, etcd
functions without authentication and encryption but it is recommended to use TLS authentication for client-server encryption.
5.2.1. Prerequisites for TLS Encryption
Before setting up the TLS encryption, ensure that the general prerequisites are met. See Section 5.1, “General Prerequisites”.
-
Generate a private key and a client certificate for each storage node and the Web Administration server. For more information, see the Creating and Managing Encryption Keys section of the Red Hat Enterprise Linux Security Guide. On each Web Administration managed storage node, and on the Web Administration server, place the PEM-encoded private key and the client/CA certificates in a secure place that is only accessible by the Web Administration server’s
root
user. -
Configuration of TLS encryption for
etcd
is automated using tendrl-ansible. Hence, you need to have tendrl-ansible installed and the inventory file created. See Chapter 3, Installing Web Administration chapter.
Configuration of TLS encryption for etcd
is performed either during the installation of Web Administration (when tendrl-ansible is run for the first time) or later by rerunning tendrl-ansible.
5.2.2. Configuring TLS Encryption for etcd
After generating and placing the TLS certificate files in the preferred directory, update the value of the Ansible variables in the inventory file with the respective file paths of the certificate files.
Add and modify the following etcd
TLS variables in the [all:vars] section of the inventory file.
Variable | Description |
---|---|
| Variable used to enable or disable TLS authentication. |
|
Certificate used for SSL/TLS connections to |
| Key for the certificate that has to be unencrypted. |
| Trusted Certificate Authority. |
- Open the inventory file.
-
Set the value for
etcd_tls_client_auth
variable toTrue
. By default, the value of this variable isFalse
. -
Edit the file path for the
etcd_cert_file
variable as required. The default value is/etc/pki/tls/certs/etcd.crt
. -
Edit the file path for
etcd_key_file
variable as required. The default value is/etc/pki/tls/private/etcd.key
. -
Edit the file path for the
etcd_trusted_ca_file
variable. The default value is/etc/pki/tls/certs/ca-etcd.crt
. - Continue the Web Administration installation process by following the Web Administration Installation chapter.
5.3. Enabling HTTPS for Web Administration Components
This section describes how to set up SSL access for Web Aadministration UI, REST API, and Grafana based dashboard.
Overview of Enabling HTTPS
- Web Administration UI, API and Grafana dashboard, which are provided by the apache server, are secured with SSL by reconfiguration of apache.
-
Access to unencrypted
http
port is redirected to encryptedhttps
port. - Web Administration contains sample configuration files for the apache to simplify the SSL setup.
5.3.1. Prerequisites for Enabling HTTPS
-
mod_ssl
package must be installed and the default configuration in/etc/httpd/conf.d/ssl.conf
must be left unmodified. - SSL key and certificate files need to be deployed on the Web Administration server. See Section 5.1, “General Prerequisites”.
Enabling HTTPS for Web Administration components must be done after the Web Administration installation.
5.3.2. Limitations
- Access to Grafana dashboard is not authenticated, which means that anyone who has access to Web Administration login page can access and read all panels in the dashboard without any password. They also can learn about the cluster structure, current workload, and historic trends. This is because Web Administration uses anonymous access to Grafana dashboard.
- Web Administration server listens on a few ports that are not secured but needed for internal communication. For example, Web Administration server receives metrics data from storage machines.
- Nothing else is secured or restricted compared to the default setup without HTTPS enabled.
5.3.3. Configuring HTTPS for Web Administration Components
On a machine where Web Administration server is installed, perform the following steps.
Create a new
00_tendrl-ssl.conf
file using the sample configuration file:# cp /etc/httpd/conf.d/00_tendrl-ssl.conf.sample /etc/httpd/conf.d/00_tendrl-ssl.conf
Make the following changes to the
/etc/httpd/conf.d/00_tendrl-ssl.conf
file:-
Set
ServerName
to host name (fqdn
) of Web Administration server. -
Edit the file path for the
SSLCertificateFile
variable if you want to use your own certificate instead of default self-signed/etc/pki/tls/certs/localhost.crt
generated by themod_ssl
package. -
Edit the file path for the
SSLCertificateKeyFile
variable if you have changed certificate file in the previous step. The default value is/etc/pki/tls/private/localhost.key
.
-
Set
Make the following changes to the
/etc/httpd/conf.d/tendrl.conf
file:-
Uncomment the line which has the Redirect rule and replace
%ssl_virtualhost_fqdn%
with the fully qualified domain name of Web Administration server. -
Comment the lines (put a # at the beginning of each line) that have the
DocumentRoot
,ProxyPass
, andProxyPassReverse
directives.
-
Uncomment the line which has the Redirect rule and replace
Check if the configuration is valid.
# apachectl -t
Reload the
httpd
daemon.# systemctl reload httpd.service
Ensure that the
https
port is open.# firewall-cmd --add-service=https # firewall-cmd --add-service=https --permanent
Reload the web browser if you have the browser open with the Web Administration UI or Grafana dashboard.