Jump to: navigation, search

Difference between revisions of "Network/LBaaS/docs/how-to-create-tls-loadbalancer"

Line 29: Line 29:
 
$ ./<devstack_dir>/stack.sh
 
$ ./<devstack_dir>/stack.sh
 
</nowiki></pre>
 
</nowiki></pre>
 +
 +
Now that Barbican is setup for Devstack let's create a certificate chain.
 +
 +
*The following may be a little more verbose then whats actually needed, please feel free to create/retrieve cert/key/intermediates as you see fit.
 +
 +
<pre><nowiki>
 +
$ openssl genrsa -des3 -out ca.key 1024
 +
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt 
 +
$ openssl x509  -in  ca.crt -out ca.pem
 +
$ openssl genrsa -des3 -out ca-int_encrypted.key 1024
 +
$ openssl rsa -in ca-int_encrypted.key -out ca-int.key
 +
$ openssl req -new -key ca-int.key -out ca-int.csr -subj "/CN=ca-int@acme.com"
 +
$ openssl x509 -req -days 3650 -in ca-int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ca-int.crt
 +
$ openssl genrsa -des3 -out server_encrypted.key 1024
 +
$ openssl rsa -in server_encrypted.key -out server.key
 +
$ openssl req -new -key server.key -out server.csr -subj "/CN=server@acme.com"
 +
$ openssl x509 -req -days 3650 -in server.csr -CA ca-int.crt -CAkey ca-int.key -set_serial 01 -out server.crt
 +
<nowiki><pre>
 +
 +
Now that we have the require parts for TLS let's begin building Barbican secrets and put them in a container:
 +
 +
<pre><nowiki>
 +
$ barbican secret store --payload-content-type='application/octet-stream' --payload-content-encoding='base64' --name='certificate' --payload="$(cat serverb64.crt)"
 +
$ barbican secret store --payload-content-type='application/octet-stream' --payload-content-encoding='base64' --name='private_key' --payload="$(cat serverb64.key)"
 +
$ barbican container create --name='tls_container' --type='certificate' --secret="certificate=$(barbican secret list | awk '/ certificate / {print $2}')" --secret="private_key=$(barbican secret list | awk '/ private_key / {print $2}')"
 +
<nowiki><pre>
 +
 +
*Note: above is written with a Barbican client bug work around and expects the cert, key, intermediates to be Base64 encoded files.
 +
An example of using OpenSSL to this:
 +
<pre><nowiki>
 +
$ openssl base64 -in <infile> -out <outfile>
 +
<nowiki><pre>
 +
 +
Otherwise, leaving them the files how they are generated, removing the payload-content-encoding and specifying 'text/plain' for the content-type will work just fine:
 +
<pre><nowiki>
 +
$ barbican secret store --payload-content-type='text/plain' --name='certificate' --payload="$(cat server.crt)"
 +
$ barbican secret store --payload-content-type='text/plain' --name='private_key' --payload="$(cat server.key)"
 +
$ barbican container create --name='tls_container' --type='certificate' --secret="certificate=$(barbican secret list | awk '/ certificate / {print $2}')" --secret="private_key=$(barbican secret list | awk '/ private_key / {print $2}')"
 +
<nowiki><pre>

Revision as of 22:34, 16 March 2015

How To Create A TLS Enabled Load Balancer

The following article will walk through the steps required to set up a load balancer to serve TLS terminated traffic. This article is geared towards the current state of the project and will evolve along with the project itself.

Some of the items to be discussed are:

  • Barbican devstack setup
  • Certificate and key generation
  • Barbican secret and container operations
  • Required patchsets for neutron-lbaas
  • Verifying the setup

Neutron-LBaaS utilizes Barbican as its keystore and requires some setting up, let's get started.

Firstly, this article assumes that the reader is familiar with Git, Openstack, Devstack and other related tools and technologies to get this going. This article will not go through setting up Devstack, Openstack, Git or any thing in this regard.

With that said, assuming you don't have Devstack set up already use this script to get started with Devstack and Barbican: https://gist.github.com/rm-you/6feacb91182f5c011018 Alternatively, the reader can copy the two needed files and add 'barbican' to the enabled services in your localrc/local.conf. These instructions are found here: https://wiki.openstack.org/wiki/BarbicanDevStack

TL;DR

$ git clone https://github.com/openstack/barbican.git
$ cp barbican/contrib/devstack/lib/barbican <devstack_dir>/lib/
$ cp barbican/contrib/devstack/extras.d/70-barbican.sh <devstack_dir>/extras.d/

Then add 'barbican' to the end of 'enabled_services' in your localrc, then run stack.sh

$ ./<devstack_dir>/stack.sh

Now that Barbican is setup for Devstack let's create a certificate chain.

  • The following may be a little more verbose then whats actually needed, please feel free to create/retrieve cert/key/intermediates as you see fit.
<nowiki>
$ openssl genrsa -des3 -out ca.key 1024 
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt  
$ openssl x509  -in  ca.crt -out ca.pem 
$ openssl genrsa -des3 -out ca-int_encrypted.key 1024 
$ openssl rsa -in ca-int_encrypted.key -out ca-int.key 
$ openssl req -new -key ca-int.key -out ca-int.csr -subj "/CN=ca-int@acme.com" 
$ openssl x509 -req -days 3650 -in ca-int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ca-int.crt 
$ openssl genrsa -des3 -out server_encrypted.key 1024 
$ openssl rsa -in server_encrypted.key -out server.key 
$ openssl req -new -key server.key -out server.csr -subj "/CN=server@acme.com" 
$ openssl x509 -req -days 3650 -in server.csr -CA ca-int.crt -CAkey ca-int.key -set_serial 01 -out server.crt
<nowiki><pre>

Now that we have the require parts for TLS let's begin building Barbican secrets and put them in a container:

<pre><nowiki>
$ barbican secret store --payload-content-type='application/octet-stream' --payload-content-encoding='base64' --name='certificate' --payload="$(cat serverb64.crt)"
$ barbican secret store --payload-content-type='application/octet-stream' --payload-content-encoding='base64' --name='private_key' --payload="$(cat serverb64.key)"
$ barbican container create --name='tls_container' --type='certificate' --secret="certificate=$(barbican secret list | awk '/ certificate / {print $2}')" --secret="private_key=$(barbican secret list | awk '/ private_key / {print $2}')"
<nowiki><pre>

*Note: above is written with a Barbican client bug work around and expects the cert, key, intermediates to be Base64 encoded files. 
An example of using OpenSSL to this:
<pre><nowiki>
$ openssl base64 -in <infile> -out <outfile>
<nowiki><pre>

Otherwise, leaving them the files how they are generated, removing the payload-content-encoding and specifying 'text/plain' for the content-type will work just fine:
<pre><nowiki>
$ barbican secret store --payload-content-type='text/plain' --name='certificate' --payload="$(cat server.crt)"
$ barbican secret store --payload-content-type='text/plain' --name='private_key' --payload="$(cat server.key)"
$ barbican container create --name='tls_container' --type='certificate' --secret="certificate=$(barbican secret list | awk '/ certificate / {print $2}')" --secret="private_key=$(barbican secret list | awk '/ private_key / {print $2}')"
<nowiki><pre>