Jump to: navigation, search

Difference between revisions of "Neutron/LBaaS/SSL"

< Neutron‎ | LBaaS
(SSL Policy Managing)
(Vip SSL Settings)
Line 85: Line 85:
  
 
==== Vip SSL Settings ====
 
==== Vip SSL Settings ====
On Load Balancers screen, More->Edit VIP option of a specific pool, vip form opens-up.
+
On Load Balancers screen, More->VIP SSL association(NEW) option of a specific pool, vip form opens-up.
But, vip details are in new "vip" tab. Another new tab is called "SSL Setting":
+
New formcalled "SSL Setting" is opened-up
  
 
SSL policy may be selected from policies table containing policy name, protocols and cipher suites.
 
SSL policy may be selected from policies table containing policy name, protocols and cipher suites.

Revision as of 12:27, 8 December 2013

Description

Terminating SSL connection on the load balancer and encrypting traffic back to the back end nodes, is a capabilities expected from modern load balancers and incorporated into many applications. This capability enables better certificate management and improved application based load balancing (ex: cookie based persistency, L7 Policies, etc.)

For giving LBaaS SSL termination ability, new extension called SSL will be added.

Rationale

The rational is giving user the ability to use SSL on LBaaS.

User should be able to apply SSL certificates on LBaaS and configure SSL on vip, front-end and back-end. Certificates chain should be supported for the Front-End certificate. Trusted certificates should be supported for the Back-End certificate.

User should be able to create SSL policies, SSL certificates and SSL trusted keys. Vip creation will remain with no change.

User should be able to associate vip with SSL policy and SSL certificates for front-end offload, and SSL trusted keys for back-end encryption.

SSL certificate creation will allow to enter the private key of the certificate if user will check a "remember" check box. In this case private key will be persistent in DB and user will not be required to enter it when associating certificate with a vip. If user chooses not to store private key in OpenStack DB, private key of the certificate will be requested every time when user will associate certificate with a vip.

User Experience

SSL Policy Managing

Under Project tab->Manage Network->SSL(NEW)->Policies (tab), user will see a table of SSL policies with "Add" and "Delete" buttons, as usual.

On "Add", as usual, form pops-up with:

  • Name : text field
  • Enable Front-End termination
  • Front-End supported protocols : multiple selector (at least one should be selected)
  • Front-End supported cipher suites : multiple selector (at least one should be selected)
  • Enable Back-End encryption
  • Back-End supported protocols : multiple selector (at least one should be selected)
  • Back-End supported cipher suites : multiple selector (at least one should be selected)
  • Pass info
    • Cipher : check box
    • Version : check box
    • Bits : check box
    • Frontend – add “Front-End-Https:” to headers : check box

On "Delete", as usual, confirmation. Associated policies are deletion protected.

On Actions->"Edit Policy" button, form opens-up with all fields allowed for change

On Actions column->"More" button contains delete option only

SSL Certificate Managing

Under Project tab->Manage Network->SSL(NEW)->Certificates(NEW), user will see a table of SSL certificates with "Add" and "Delete" buttons, as usual.

On "Add", as usual, form pops-up with:

  • Name : text field
  • Public key : text field
  • Pass phrase : text field
  • Certificate chain : text field
  • Persist private key : check box (Hint: If checked, certificate private key will be stored in OpenStack repository and will not be requested when associating the certificate to a vip. If unchecked, certificate private key will be requested each time when certificate will be associated to a vip)
  • Private key : text field (disabled if "persist private key" check box is not checked)

On "Delete", as usual, confirmation. Associated certificates are deletion protected.

On Actions->"Edit Certificate" button, form opens-up with all fields allowed for change

On Actions column->"More" button contains delete option only


SSL Trusted keys Managing

Under Project tab->Manage Network->SSL(NEW)->Trusted keys(NEW), user will see a table of SSL trusted keys with "Add" and "Delete" buttons, as usual.

On "Add", as usual, form pops-up with:

  • Name : text field
  • Public key : text field

On "Delete", as usual, confirmation. Associated keys are deletion protected.

On Actions->"Edit Key" button, form opens-up with all fields allowed for change

On Actions column->"More" button contains delete option only


Vip SSL Settings

On Load Balancers screen, More->VIP SSL association(NEW) option of a specific pool, vip form opens-up. New formcalled "SSL Setting" is opened-up

SSL policy may be selected from policies table containing policy name, protocols and cipher suites.

Enable Front-End SSL termination check box must be checked in order to enable SSL certificates selection.

SSL certificates table contains certificate name, and private key text box. Private key text box contains the key and is disabled if private key is persistent in OpenStack repository. Private key text box is editable if private key is not persistent. User must supply it. At least one certificate must be selected.

Enable Back-End SSL encryption check box must be checked in order to enable SSL trusted keys selection.

SSL trusted keys table contains just a key name. User may select none or multiple keys.

Rules on SAVE:

  • At least one SSL policy must be selected
  • "Enable Front-End SSL termination" check-box is disabled if no SSL policy is selected

API change

  • Vip CRUD API of the LBaaS plugin will not be changed.
  • New extension named "ssl" will be added, including SSL certificates resources, quota etc.
  • Vip association API with SSL policy, certificates and SSL trusted keys will be added to the LBaaS plugin

Resources change

  • vip resource remains the same
  • SSL policy (new)
*protocols
    List of comma-separated values from a list of allowed values (SSLv3, TLSv1, TLSv1.1, TLSv1.2), default=None
*cipher_suites:
    List of coma-separated values from allowed values list in format 
        <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function>
  • SSL certificate (new)
public_key (PEM-formatted)
pass_phrase (not mandatory)
private_key (PEM-formatted, not mandatory)
certificate_chain (List of PEM-formatted public keys, not mandatory)
  • SSL trusted key (new)
public_key (PEM-formatted)

Data model change

  • vip database entity remains the same.
  • ssl_policy
ssl-policy-id
protocols (string 64)
cipher_suites (string 512)
  • ssl_certificate
ssl-certificate-id
public_key
pass_phrase
certificate_chain
private_key
  • ssl_trusted_key
ssl-trusted-key-id
key
  • vip_ssl_policy_assoc (one policy per vip)
vip-id
ssl-policy-id
status
desc
  • vip_ssl_certificate_assoc (multiple certificates per vip. certificate may be associated with multiple vips)
vip-id
ssl-certificate-id
status
desc.
  • vip_ssl_trusted_key_assoc (multiple trusted keys per vip. trusted key may be associated with multiple vips)
vip-id
ssl-trusted-key-id
status
desc.

DB Migration

No DB migration is needed

CLI changes

  • neutron ssl-policy-create --protocols SSLv3, TLSv1, TLSv1.1 --cipher-suites DES-CBC-SHA, EXP-DES-CBC-SHA <policy name>
  • neutron ssl-policy-update --policy_id --protocols TLSv1, TLSv1.1
  • neutron ssl-policy-delete --policy_id
  • neutron ssl-certificate-create --public-key PUBLIC-KEY --persistent-private-key true --private-key PRIVATE-KEY --passphrase PASSPHRASE --cert-chain INTERMEDIATE-KEY1, INTERMEDIATE-KEY2 <certificate name>
  • neutron ssl-certificate-update --certificate-id --cert-chain INTERMEDIATE-KEY1, INTERMEDIATE-KEY2, INTERMEDIATE-KEY3
  • neutron ssl-certificate-delete --certificate_id
  • neutron ssl-trusted-key-create --key PUBLIC KEY <key name>
  • neutron ssl-trusted-key-update --key-id --key PUBLIC KEY
  • neutron ssl-trusted-key-delete --key-id
  • neutron vip-ssl-policy-associate --vip-id VIP-ID --ssl-policy-id SSL-POLICY-ID
  • neutron vip-ssl-certificate-associate --vip-id VIP-ID --ssl-certificate-id SSL-POLICY-ID
  • neutron vip-ssl-trusted-key-associate --vip-id VIP-ID --ssl-trusted-key-id SSL-POLICY-ID
  • neutron vip-ssl-policy-disassociate --vip-id VIP-ID --ssl-policy-id SSL-POLICY-ID
  • neutron vip-ssl-certificate-disassociate --vip-id VIP-ID --ssl-certificate-id SSL-POLICY-ID
  • neutron vip-ssl-trusted-key-disassociate --vip-id VIP-ID --ssl-trusted-key-id SSL-POLICY-ID

Implementation Plan

  • Modifying LBaaS Vip resources' attribute map with new parameters
  • Modifying LBaaS Vip DB Model with new parameters
  • Modifying LBaaS Vip DB Model tests to account new parameters if needed
  • Modifying LBaaS HA-Proxy driver to support SSL
  • Update HA-Proxy to version 1.5 {TBD}

Support Matrix

Provider Protocols Cipher Suites Certificate chain FE client auth. BE trusted keys BE client cert. SNI
HAProxy 1.5 SSLv3, TLSv1 As OpenSSL Yes Yes No No Yes
Amazon EC2 SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 As OpenSSL Yes No Yes No No
OpenStack SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 As OpenSSL Yes No Yes No No
Retrieved from "https://wiki.openstack.org/w/index.php?title=Neutron/LBaaS/SSL&oldid=37492"