Enable TLS for client-server communications

Enable TLS for client-server communications

This section explains how to encrypt the communication paths between the OpenStack services and the message queue service (RabbitMQ) as well as the MySQL database.

Note

The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.

To enable TLS for client-server communications:

  1. For each of the OpenStack services, enable the TLS protocol usage for messaging and database communications by changing the cluster model as shown in the examples below:

    • For a controller node:

      • The database server configuration example:

        classes:
        - system.salt.minion.cert.mysql.server
        - service.galera.ssl
        
        parameters:
          barbican:
            server:
              database:
                ssl:
                  enabled: True
          heat:
            server:
              database:
                ssl:
                  enabled: True
          designate:
            server:
              database:
                ssl:
                  enabled: True
          glance:
            server:
              database:
                ssl:
                  enabled: True
          neutron:
            server:
              database:
                ssl:
                  enabled: True
          nova:
            controller:
              database:
                ssl:
                  enabled: True
          cinder:
            controller:
              database:
                ssl:
                  enabled: True
            volume:
              database:
                ssl:
                  enabled: True
          keystone:
            server:
              database:
                ssl:
                  enabled: True
        
      • The messaging server configuration example:

        classes:
        - service.rabbitmq.server.ssl
        - system.salt.minion.cert.rabbitmq_server
        
        parameters:
        
          designate:
            server:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
        
          barbican:
            server:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
        
          heat:
            server:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
        
          glance:
            server:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
        
          neutron:
            server:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
          nova:
            controller:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
        
        
          cinder:
            controller:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
            volume:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
        
          keystone:
            server:
              message_queue:
                port: 5671
                ssl:
                  enabled: True
        
    • For a compute node, the messaging server configuration example:

      parameters:
        neutron:
          compute:
            message_queue:
              port: 5671
              ssl:
                enabled: True
        nova:
          compute:
            message_queue:
              port: 5671
              ssl:
                enabled: True
      
    • For a gateway node, the messaging configuration example:

      parameters:
        neutron:
          gateway:
            message_queue:
              port: 5671
              ssl:
                enabled: True
      
  2. Refresh the pillar data to synchronize the model update at all nodes:

    salt '*' saltutil.refresh_pillar
    salt '*' saltutil.sync_all
    
  3. Proceed to Install OpenStack services.