Run Yorc in Secured mode¶
To run Yorc in secured mode, the following issues have to be addressed:
- Setup a secured Consul cluster
- Setup a secured Yorc server and configure it to use a secured Consul client
- Setup Alien4Cloud security and configure it to use the secured Yorc server
To secure the components listed above, and enable TLS, Multi-Domain (SAN) certificates need to be generated. A short list of commands based on openSSL is provided below.
Generate SSL certificates with SAN¶
The SSL certificates you will generate need to be signed by a Certificate Authority. You might already have one, otherwise, create it using OpenSSL commands below:
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -sha256 -out ca.pem
Generate certificates signed by your CA¶
You need to generate certificates for all the software component to be secured (Consul, Yorc, Alien4Cloud).
Use the commands below for each component instance (where <IP> represents host’s IP address used to connect to):
openssl genrsa -out comp.key 4096
openssl req -new -sha256 -key comp.key -subj "/C=FR/O=Atos/CN=127.0.0.1" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:127.0.0.1,IP:<IP>,DNS:localhost")) -out comp.csr
openssl x509 -req -in comp.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out comp.pem -days 2048 -extensions SAN -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:127.0.0.1,IP:<IP>,DNS:localhost"))
In the sections below, the comp.key
and comp.pem
files are used to define the different components’ configuration.
Secured Consul cluster Setup¶
Create a consul.key
and consul.pem
for all the Consul agents within the Consul cluster you setup:
- the server (you may need 3 servers for HA),
- and the client (you need one client on each host where a Yorc server is running).
Use the above commands and replace <IP> and <SERVER_IP> by the host’s IP address.
Check Consul documentation for details about agent’s configuration and network traffic encryption.
You may find below a typical configuration file for a consul server:
{
"domain": "starlings",
"data_dir": "/tmp/work",
"client_addr": "0.0.0.0",
"advertise_addr": "{SERVER_IP}",
"server": true,
"bootstrap": true,
"encrypt": "{ENCRYPT_KEY}",
"ports": {
"https": 8543
},
"key_file": "{PATH_TO_CONSUL_SERVER_KEY}",
"cert_file": "{PATH_TO_CONSUL_SERVER_PEM}",
"ca_file": "{PATH_TO_CA_PEM}",
"verify_incoming": true,
"verify_outgoing": true
}
And below, one for a consul client.
{
"domain": "starlings",
"data_dir": "/tmp/work",
"client_addr": "0.0.0.0",
"advertise_addr": "{IP}",
"ui": true,
"retry_join": [ "{SERVER_IP}" ],
"encrypt": "{ENCRYPT_KEY}",
"ports": {
"https": 8543
},
"key_file": "{PATH_TO_CONSUL_CLIENT_KEY}",
"cert_file": "{PATH_TO_CONSUL_CLIENT_PEM}",
"ca_file": "{PATH_TO_CA_PEM}",
"verify_incoming_rpc": true,
"verify_outgoing": true
}
You can also consult this Blog. You may found useful information about how to install CA certificate in the OS, in case you get errors about trusting the signing authority.
Secured Yorc Setup¶
Create a yorc-server.key
and yorc-server.pem
using the above commands and replace <IP> by the host’s IP address.
Bellow is an example of configuration file with TLS enabled and using the collocated and secured Consul client.
{
"consul": {
"ssl": "true",
"ca_cert": "{PATH_TO_CA_PEM}",
"key_file": "{PATH_TO_CONSUL_CLIENT_KEY}",
"cert_file": "{PATH_TO_CONSUL_CLIENT_PEM}",
"address": "127.0.0.1:8543",
},
"resources_prefix": "yorc1-",
"key_file": "{PATH_TO_YORC_SERVER_KEY}",
"cert_file": "{PATH_TO_YORC_SERVER_PEM}",
"ssl_verify": true,
"infrastructures" : {
"openstack": {
"auth_url": "https://your-openstack:{OPENSTACK_PORT}/v2.0",
"tenant_name": "your-tenant",
"user_name": "os-user",
"password": "os-password",
"private_network_name": "default-private-network",
"default_security_groups": ["default"]
}
}
}
As for Consul, you may need to install CA certificate in the OS, in case you get errors about trusting the signing authority.
Secured Yorc CLI Setup¶
If ssl_verify
is enabled for Yorc server the Yorc CLI have to provide a client certificate signed by the Yorc’s Certificate Authority.
So, create a yorc-client.key
and yorc-client.pem
using the above commands and replace <IP> by the host’s IP address.
Bellow is an example of configuration file with TLS enabled. Refer to Yorc Client CLI Configuration for more information.
{
"key_file": "{PATH_TO_YORC_CLIENT_KEY}",
"cert_file": "{PATH_TO_YORC_CLIENT_PEM}",
"ca_file": "{PATH_TO_CA_PEM}",
"yorc_api": "<YORC_SERVER_IP>:8800"
}
Setup Alien4Cloud security¶
See the corresponding Chapter in Alien4Cloud plugin documentation