Run Yorc in Secured mode

To run Yorc in secured mode, the following issues have to be addressed:

  • Setup a secured Consul cluster
  • Setup a secured Yorc server and configure it to use a secured Consul client
  • Setup Alien4Cloud security and configure it to use a secured Yorc server

In the case of Yorc HA setup (see High level view of a typical HA installation), all the Yorc servers composing the cluster need to be secured.

To secure the components listed above, and enable TLS, Multi-Domain (SAN) certificates need to be generated. A short list of commands based on openSSL is provided below.

Generate SSL certificates with SAN

The SSL certificates you will generate need to be signed by a Certificate Authority. You might already have one, otherwise, create it using OpenSSL commands below:

openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -sha256 -out ca.pem

Generate certificates signed by your CA

You need to generate certificates for all the software component to be secured (Consul agents, Yorc servers, Alien4Cloud).

Use the commands below for each component instance (where <IP> represents IP address used to connect to the component). Replace comp by a string of your choise corresponding to the components to be secured.

openssl genrsa -out comp.key 4096
openssl req -new -sha256 -key comp.key  -subj "/C=FR/O=Atos/CN=127.0.0.1" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:127.0.0.1,IP:<IP>,DNS:localhost")) -out comp.csr
openssl x509 -req -in comp.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out comp.pem -days 2048 -extensions SAN -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:127.0.0.1,IP:<IP>,DNS:localhost"))

In the sections below, the comp.key and comp.pem files path are used in the components’ configuration file.

Secured Consul cluster Setup

Note

You need to generate certificates for all the Consul agents within the Consul cluster you setup.

In a High Availability cluster, you need to setup at least 3 consul servers, and one consul client on each host where a Yorc server is running.

Check Consul documentation for details about agent’s configuration.

You may find below a typical configuration file for a consul server ; to be updated after having generated the consul_server.key and consul_server.pem files.

{
    "domain": "yorc",
    "data_dir": "/tmp/work",
    "client_addr": "0.0.0.0",
    "advertise_addr": "{SERVER_IP}",
    "server": true,
    "bootstrap": true,
    "ui": true,
    "encrypt": "{ENCRYPT_KEY},
    "ports": {
        "https": 8543
    },
    "key_file": "{PATH_TO_CONSUL_SERVER_KEY}",
    "cert_file": "{PATH_TO_CONSUL_SERVER_PEM}",
    "ca_file": "{PATH_TO_CA_PEM}",
    "verify_incoming": true,
    "verify_outgoing": true
}

And below, a typical configuration file for a consul client.

{
  "domain": "yorc",
  "data_dir": "/tmp/work",
  "client_addr": "0.0.0.0",
  "advertise_addr": "{IP}",
  "retry_join": [ "{SERVER_IP}" ],
  "encrypt": "{ENCRYPT_KEY},
  "ports": {
    "https": 8543
  },
  "key_file": "{PATH_TO_CONSUL_CLIENT_KEY}",
  "cert_file": "{PATH_TO_CONSUL_CLIENT_PEM}",
  "ca_file": "{PATH_TO_CA_PEM}",
  "verify_incoming_rpc": true,
  "verify_outgoing": true
}

In the above example, the encryption is enabled for the gossip traffic inside the Consul cluster. Check Consul documentation for details network traffic encryption.

You can also consult this Blog. You may found useful information about how to install CA certificate in the OS, in case you get errors about trusting the signing authority.

Secured Yorc Setup

Generate a yorc_server.key and yorc_server.pem using the above commands and replace <IP> by the host’s IP address.

Bellow is an example of configuration file with TLS enabled and using the collocated and secured Consul client.

{
    "consul": {
        "ssl": "true",
        "ca_cert": "{PATH_TO_CA_PEM}",
        "key_file": "{PATH_TO_CONSUL_CLIENT_KEY}",
        "cert_file": "{PATH_TO_CONSUL_CLIENT_PEM}",
        "address": "127.0.0.1:8543"
    },
    "resources_prefix": "yorc1-",
    "key_file": "{PATH_TO_YORC_SERVER_KEY}",
    "cert_file": "{PATH_TO_YORC_SERVER_PEM}",
    "ca_file": "{PATH_TO_CA_PEM}",
    "ssl_verify": true,
    "locations_file_path": "path-to-locations-yaml-or-json-config"
}

In the above example SSL verification is enabled for Yorc (ssl_verify set to true). In this case, the Consul Agent must be enabled to use TLS configuration files for HTTP health checks. Otherwise, the TLS handshake may fail. You can find below the Consul agent’s configuration:

{
  "domain": "yorc",
  "data_dir": "/tmp/work",
  "client_addr": "0.0.0.0",
  "advertise_addr": "{IP}",
  "ui": true,
  "retry_join": [ "{SERVER_IP}" ],
  "encrypt": "{ENCRYPT_KEY}",
  "ports": {
    "https": 8543
  },
  "key_file": "{PATH_TO_CONSUL_CLIENT_KEY}",
  "cert_file": "{PATH_TO_CONSUL_CLIENT_PEM}",
  "ca_file": "{PATH_TO_CA_PEM}",
  "enable_agent_tls_for_checks": true,
  "verify_incoming_rpc": true,
  "verify_outgoing": true
}

As for Consul, you may need to install CA certificate in the OS, in case you get errors about trusting the signing authority.

Secured Yorc CLI Setup

If ssl_verify is enabled for Yorc server, the Yorc CLI have to provide a client certificate signed by the Yorc’s Certificate Authority.

So, create a yorc_client.key and yorc_client.pem using the above commands and replace <IP> by the host’s IP address.

Bellow is an example of configuration file with TLS enabled. Refer to Yorc Client CLI Configuration for more information.

{
    "key_file": "{PATH_TO_YORC_CLIENT_KEY}",
    "cert_file": "{PATH_TO_YORC_CLIENT_PEM}",
    "ca_file": "{PATH_TO_CA_PEM}",
    "yorc_api": "<YORC_SERVER_IP>:8800"
}

Setup Alien4Cloud security

See the corresponding Chapter in Alien4Cloud plugin documentation