On 07/29/2011 01:20 PM, Jozef Zigmund wrote:
Hello everyone,
One of the goals of this iteration is Encryption.
What do we have at disposal right now ?
=========================
- We're using Public Key Infrastructure(PKI), where now we store SSL
cert of Conductor (it's self-signed).
- We generate SSL cert/key for Conductor in puppet recipe.
- We can generate certs for other parts in the same way.
- Conductor run on HTTPS by default in production environment.
What would we like to achieve in this iteration ?
=============================
* encrypt traffic between IWHD, Conductor, DC-API:
We expect that IWHD and DC-API will run on remote machines, so we
need to encrypt communication between those machines.
Is it need to add some gem(s) ?
====================
No it isn't. After discussion we don't assume that we need to add some
gem(s). Maybe it will be good to check Dmitri Pal suggestions (his
e-mail as reply to mmorsi's one w/ subject 'Iteration 4 Features')
What would we do to complete this goal ?
==========================
For Conductor side:
--------------------------
- revise the codes of communication with IWHD and DC-API.
For IWHD should be easy, now we are using hardcoded URL of this
service, thus we will fix it for HTTPS. We use RestClient for
communication with DC-API, so we will check how is possible (and it's
possible) to wrap RestClient request to secured mode.
For Infrastructure team:
--------------------------------
- generate SSL certs/keys for IWDH and DC-API,
- decide how to change off public certificates between services that
will run on remote machines.
Other notices
=========
- Michal Fojtik will handle option for 'deltacloudd', when we want to
run DC-API on HTTPS.
Please check if I mentioned all services, that we need to run them on
HTTPS and encrypt the traffic between them.
--
Jozef
_______________________________________________
aeolus-devel mailing list
aeolus-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/aeolus-devel
As it was proposed IPA can be the entity that would be responsible for
generating SSL certs for all the components. Also certmonger can be used
to track these certs and renew them.
The logic is the following.
1) When the solution is deployed IPA is installed first
2) All the hosts that the components will be running on are registered
with IPA using ipa-client-install. It can be done automatically by
precreating host entries in IPA and generating OTPs. These OTPs can then
be passed to thge scripts that would actually install a specific
component (IWHD, IF, Conductor etc.). The OTP will allo ipa-client to
register automatically. As a result you get a host cert.
3) On top you can create several services on a host and issue certs for
those.
4) You can configure certmonger to keep track of the certs and make sure
they are not going to expire.
5) Certs created by IPA would allow you to do client auth i.e. securely
connect from one service to another with mutual auth.
Also for cases where GSSAPI with Kerbers is used SSL is not required as
it will provide double encryption with no value.
I suggest we review the communication diagram next week before we
proceed with further discussion around the topic of encryption.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/