Difference between revisions of "Neutron/LBaaS/SSL"

Revision as of 10:25, 5 February 2014

Description

Terminating SSL connection on the load balancer and encrypting traffic back to the back end nodes, is a capabilities expected from modern load balancers and incorporated into many applications. This capability enables better certificate management and improved application based load balancing (ex: cookie based persistency, L7 Policies, etc.)

For giving LBaaS SSL termination ability, new extension called SSL will be added.

Rationale

The rational is giving user the ability to use SSL on LBaaS.

User should be able to apply SSL certificates on LBaaS and configure SSL on vip, front-end and back-end.

• Certificates chain should be supported for the Front-End certificate.
• Trusted certificates should be supported for the Back-End certificate.
• User should be able to manage SSL policies, SSL front-end certificates and SSL trusted back-end certificates.
• User should be able to associate vip with SSL policy and SSL certificates for front-end offload,

and SSL trusted certificates for back-end encryption.

• User should have a choice to store certificates private keys in OpenStack repository or not.

Current design

As for now, storing of SSL certificates private keys is not an option since there is no secure store. Therefore, since certificates private keys will be transient, each time when user will associate SSL certificate to a VIP, private key value will be requested. Even when private key is transient, its transport should be secured.

Future releases design

SSL certificate creation will let the user to enter the private key of the certificate if user will check a "remember" check box. In this case, private key will be stored encrypted with a key specified in configuration file and user will not be required to enter it when associating certificate with a vip.

If user chooses not to store private key in OpenStack DB, private key of the certificate will be requested every time when user will associate certificate with a vip.

User Experience

SSL Policies Managing

Under Project tab->Manage Network->Load Balancers->SSL Policies (new tab), user will see a table of SSL policies with "Add" and "Delete" buttons, as usual.

Default policy will be available. It will have default set of protocols and cipher suites. User should be able to explore default policy details but should not be able to delete it.

Cipher suites groups will be available, low, medium and high. A user will be able to choose one of them or to compile a customized list

On "Add", as usual, form pops-up with:

• Name : text field
• Enable Front-End termination : check box
• Front-End supported protocols : multiple selector (at least one should be selected)
• Front-End supported cipher suites : Radio button with 4 choices:
  • LOW (OpenSSL LOW ciphers, Hint should show them all)
  • MEDIUM (OpenSSL MEDIUM ciphers, Hint should show them all)
  • HIGH (OpenSSL HIGH ciphers, Hint should show them all)
  • Custom: multiple selector (at least one suite should be selected)
• Enable Back-End encryption : check box
• Back-End supported protocols : multiple selector (at least one should be selected)
• Back-End supported cipher suites : Radio button with 4 choices:
  • LOW (OpenSSL LOW ciphers, Hint should show them all)
  • MEDIUM (OpenSSL MEDIUM ciphers, Hint should show them all)
  • HIGH (OpenSSL HIGH ciphers, Hint should show them all)
  • Custom: multiple selector (at least one suite should be selected)
• Pass info
  • Cipher : check box
  • Version : check box
  • Bits : check box
  • Frontend – add “Front-End-Https:” to headers : check box

Note: Front-End or Back-End or both must be configured to SAVE.

On "Delete", as usual, confirmation. Associated policies are deletion protected.

On Actions->"Edit Policy" button, form opens-up with all fields allowed for change. If changed policy is associated with one or more VIPS, ech VIP's driver should make any required changes on the LBaaS

On Actions column->"More" button contains delete option only

SSL Certificates Managing

Under Project tab->Manage Network->SSL Certificates (new), user will see a table of SSL certificates with "Add" and "Delete" buttons, as usual.

On "Add", as usual, form pops-up with:

• Name : text field
• Certificate : text field
• Pass phrase : text field
• Certificate chain : text field
• Persist private key : check box (Not available in Icehouse release)

 (Hint: If checked, certificate private key will be stored in OpenStack repository 
 and will not be requested when associating the certificate to a vip. 
 If unchecked, certificate private key will be requested each time 
 when certificate will be associated to a vip)

• Private key : text field, disabled if "persist private key" check box is not checked (Not available in Icehouse release)

Note: If private key persistence is enabled, private key must be supplied.

On "Delete", as usual, confirmation. Associated certificates are deletion protected.

On Actions->"Edit Certificate" button, form opens-up with all fields allowed for change

On Actions column->"More" button contains delete option only

SSL Trusted Certificates Managing

Under Project tab->Manage Network->Load Balancers->SSL Trusted Certificates(new tab), user will see a table of SSL trusted certificates with "Add" and "Delete" buttons, as usual.

On "Add", as usual, form pops-up with:

• Name : text field
• Certificate : text field

On "Delete", as usual, confirmation. Associated certificates are deletion protected.

On Actions->"Edit Certificate" button, form opens-up with all fields allowed for change

On Actions column->"More" button contains delete option only

VIP creation

• VIP and Pool protocols are different

The behavior will remain as is. Customer can not create VIP with different front-end and back-end protocols. VIP creation will fail.

• VIP and Pool protocols are HTTP

VIP will be created with HTTP on front-end and HTTP on back-end. When SSL policy will be associated, VIP's and Pool's protocols will remain HTTP, the policy will define VIP's behavior.

• VIP and Pool protocols are HTTPS

VIP will be created with HTTPS on front-end and HTTPS on back-end. When SSL policy will be associated, VIP's and Pool's protocols will remain HTTPS, the policy will define VIP's behavior.

Vip SSL Association

Important Note: Associating and disassociating SSL for a vip are atomic actions.
Saving the vip SSL association will require re-entering all missing certificate private keys.
SSL disassociating of a vip will remove all associations with policy and certificates. This is relevant for UI and CLI.

On Project->Load Balancers screen, For each pool, "More" button->VIP SSL association(new) option, new form opens-up.

Single SSL policy may be selected from policies table, containing selection check box and policy name. User will also be able to press the "Add New" button and get the SSL Policy addition form.

Depending on policy, if front-end termination is enabled, SSL certificates table will be enabled for choosing certificates.

SSL certificates table contains certificate name, and private key text box.

Private key text box contains the key and is disabled if private key is persistent in OpenStack repository. Private key text box is editable if private key is not persistent. User must supply it (This is always true for for Icehouse release).

At least one certificate must be selected. Also, "Add New" button will present. Pressing it will open the SSL certificate form.|

Depending on policy, if back-end encryption is enabled, SSL trusted certificates table will be enabled for choosing certificates.

SSL trusted certificates table contains selection check box and certificate name. User may select none or multiple certificates. Also, "Add New" button will present. Pressing it will open the SSL trusted certificate form.|

• To apply an association:

SSL policy must be selected. If front-end termination is enabled, at least one SSL certificate must be selected.

Vip SSL Disassociation

On disassociation of Vip and SSL, VIP and pool protocols will remain as is.

API change

• Vip CRUD API of the LBaaS plugin will not be changed.
• New extension named "ssl" will be added, including ssl policies, certificates and trusted certificates resource
• New db extension named "ssl_db" will be added, including ssl policies, certificates and trusted certificates DB handling
• Since SSL offload capability is a core LBaaS capability, SSL entities management API and Vip SSL association API should be added to the LBaaS plugin

Resources change

• vip resource remains the same

• SSL policy (new)
  • front-end-termination : bool
  • front-end-protocols : list of comma-separated values from a list of allowed values (SSLv3, TLSv1, TLSv1.1, TLSv1.2), default=None
  • front-end-cipher_suites : list of coma-separated values from allowed values list.
    • Format - <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function>
  • back-end-encryption : bool
  • back-end-protocols : list of comma-separated values from a list of allowed values (SSLv3, TLSv1, TLSv1.1, TLSv1.2), default=None
  • back-end-cipher_suites : list of coma-separated values from allowed values list.
    • Format - <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function>
  • pass-info : list of coma-separated values from allowed values list (cipher, protocol, bits, front-end)

• SSL certificate (new)
  • certificate : PEM-formatted string
  • pass_phrase : not mandatory string
  • private_key : PEM-formatted string, not mandatory (absent in Icehouse release)
  • certificate_chain : list of PEM-formatted public keys, not mandatory

• SSL trusted certificate (new)
  • certificate : PEM-formatted string

Data model change

• vip entity will be associated with SSL policy, SSL certificate and SSL trusted certificate entities.

• ssl_policy (new)

ssl_policy_id (string 36)
ssl_policy_name (string 64)
front_end_enabled (bool)
front_end_protocols (string 32)
front_end_cipher_suites (string 512)
back_end_enabled (bool)
back_end_protocols (string 32)
back_end_cipher_suites (string 512)
pass_info (string 64)

• ssl_certificate (new)

ssl-certificate_id (string 36)
ssl-certificate-name (string 64)
certificate (string 4096)
pass_phrase (string 64)
certificate_chain (string 20480)
private_key (string 4096) (absent in Icehouse release)

• ssl_trusted_certificate (new)

ssl_trusted_certificate_id (string 36)
ssl_trusted_certificate_name (string 64)
certificate (string 4096)

• vip_ssl_policy_assoc (new, one policy per vip)

vip_id (string 36)
ssl_policy_id (string 36)
status (string 16)
desc (string 255)

• vip_ssl_certificate_assoc (new, multiple certificates per vip. certificate may be associated with multiple vips)

vip_id (string 36)
ssl_certificate_id (string 36)
status (string 16)
desc (string 255)

• vip_ssl_trusted_certificate_assoc (new, multiple trusted certificates per vip. trusted certificate may be associated with multiple vips)

vip_id (string 36)
ssl_trusted_certificate_id (string 36)
status (string 16)
desc (string 255)

DB Migration

No DB migration is needed

CLI changes

SSL Policy

• neutron ssl-policy-create --front-end-termination type=dict enable=true protocols=SSLv3,TLSv1,TLSv1.1 cipher-suites=DES-CBC-SHA,EXP-DES-CBC-SHA --back-end-termination type=dict enabled=true protocols=SSLv3,TLSv1,TLSv1.1 cipher-suites=DES-CBC-SHA,EXP-DES-CBC-SHA --pass-info type=dict cipher=true bits=true policy name

• neutron ssl-policy-update --policy_id --front-end-termination type-dict protocols=TLSv1,TLSv1.1

• neutron ssl-policy-delete --policy_id

• neutron ssl-policy-list

• neutron ssl-policy-show --policy_id

SSL Certificate

• neutron ssl-certificate-create --public-key CERTIFICATE-FILE <--private-key PRIVATE-KEY-FILE> <--passphrase PASSPHRASE> <--cert-chain INTERMEDIATE-KEY-FILE-1, INTERMEDIATE-KEY-FILE-2> certificate name

• neutron ssl-certificate-update --certificate-id --cert-chain INTERMEDIATE-KEY-FILE-1, INTERMEDIATE-KEY-FILE-2, INTERMEDIATE-KEY-FILE-3

• neutron ssl-certificate-delete --certificate_id

• neutron ssl-certificate-list

• neutron ssl-certificate-show --certificate_id

SSL Trusted Certificate

• neutron ssl-trusted-certificate-create --key PUBLIC-KEY-FILE key name

• neutron ssl-trusted-certificate-update --key-id --key PUBLIC-KEY-FILE

• neutron ssl-trusted-certificate-delete --key-id

• neutron ssl-trusted-certificate-list

• neutron ssl-trusted-certificate-show --key_id

Vip SSL Association

• neutron vip-ssl-associate --vip-id VIP-ID --ssl-policy-id my_policy_id --ssl-certificate type=dict certificate-id=google_cert_id private-key=PRIVATE-KEY-FILE-1 --ssl-trusted-certificate type=dict cert-id=KEY-ID-1
• neutron vip-ssl-disassociate --vip-id VIP-ID

TODO: List of certificates and trusted certificates should be supported

Implementation Plan

• Creating new extension called "ssl" with new SSL entities
• Add new SSL entities CRUD API to the LBaaS Plugin
• Add new DB entities and associations
• Add unit testing for new SSL extension's resources
• Add unit testing for new SSL DB mixin
• Modifying LBaaS HA-Proxy driver to support SSL extension
• Update HA-Proxy to version 1.5 {TBD}

Support Matrix