Juniper Openstack

Server Manager support for tls certificate and key distribution

  1. Series trunk
  2. Bug #1522597
Bug #1522597 reported by Nipa
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
Critical
prasad miriyala
Juniper Openstack r3.0.1.0
Trunk
Fix Committed
Critical
prasad miriyala
Juniper Openstack r3.1.0.0-fcs

Bug Description

Server Manager will need to act as interim-CA during provisioning phase and generate key and certs for each of the physical servers
listed in testbed.py.

ServerManager needs to generate the following three files and copy it to each of the servers
1) /etc/contrail/ssl/private/server.key - A unique private key needs to be generated and stored at the default location on the server.
2) /etc/contrail/ssl/certs/server.pem -
        a) This is the certificate of the physical server generated using the hostname (FQDN) in testbed.py
        b) Server Manager will need to sign the server certificate and generate server.pem and store at the default location.
3)/etc/contrail/ssl/certs/ca-cert.pem -
        This is the server-manager certificate that will be used by servers to verify the certificates as issued by a trusted CA.
         The certificate is generated and stored at the default location.

In addition the ServerManager also needs to support CRL (certificate Revocation List) i,e when a node is removed from
testbed.py then the certs will need to be removed from the default location.

The following commands were used to generated certs, keys and signed by CA
================================================================

Step 1: Generate a Private Key for rootCA
==========================================
openssl genrsa -out rootCA.key 1024

Step 2: Generate a Self Signed rootCA certificate
=================================================
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
(Install rootCA.pem on all nodes as cacert.pem).

Step3: Generate a Private Key for each of the nodes
===================================================
openssl genrsa -out server_a6s17.key 1024

Step 3: Generate a CSR (Certificate Signing Request) which u will send to CA
=============================================================================
openssl req -new -key server_a6s17.key -out server_a6s17.csr

Step 4: Generating a rootCA signed certificate
==============================================
openssl x509 -req -in server_a6s18.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial
-out server_a6s18.pem -days 365

Verify contents of certificate
==============================
openssl x509 -noout -text -in server.pem

See original description
Tags: blocker
Nipa (nipak)
Changed in juniperopenstack:
importance: Undecided → Critical
assignee: nobody → prasad miriyala (pmiriyala)
milestone: none → r3.0-fcs
tags: added: blocker
Revision history for this message
Nipa (nipak) wrote :

In case server-manager and server are the same, we will generate two separate private keys and all keys and certs related to
server-manager will be store under /root

prasad miriyala (pmiriyala)
description: updated
description: updated
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/15773
Submitter: prasad miriyala (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/15812
Submitter: prasad miriyala (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/15814
Submitter: prasad miriyala (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/15861
Submitter: prasad miriyala (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/15863
Submitter: Abhay Joshi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/15861
Committed: http://github.org/Juniper/contrail-server-manager/commit/a2f38114704f093fd0c6e144ab7d711a992cf39f
Submitter: Zuul
Branch: master

commit a2f38114704f093fd0c6e144ab7d711a992cf39f
Author: Prasad Miriyala <email address hidden>
Date: Wed Dec 16 12:01:41 2015 -0800

Partial-Bug: #1522597, Server Manager support for tls certificate and key distribution
- commiting cert utility files to avoid package dependancy

Change-Id: I69ac4026b81aa06616a045798e011671e89e67b9

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/15868
Submitter: prasad miriyala (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/15863
Committed: http://github.org/Juniper/contrail-puppet/commit/050e6b16983d0705f06a077359f78aba3b856957
Submitter: Zuul
Branch: master

commit 050e6b16983d0705f06a077359f78aba3b856957
Author: Abhay Joshi <email address hidden>
Date: Wed Dec 16 17:12:58 2015 -0800

Partial-Bug: #1522597
Puppet side changes to provide authenticated XMPP commuication between
agent and control nodes using certificates.

Change-Id: Ie4c16b462f702319025f5f4ae7d8dd8ea8977bb9

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/15868
Committed: http://github.org/Juniper/contrail-packaging/commit/c192a74cec4f13b6435a45c70e1540863bff074a
Submitter: Zuul
Branch: master

commit c192a74cec4f13b6435a45c70e1540863bff074a
Author: Prasad Miriyala <email address hidden>
Date: Wed Dec 16 22:49:44 2015 -0800

Partial-Bug: #1522597, Packaging modification for Server Manager tls certificate and key distribution

Change-Id: Ia0e5d464dc50771f0c845632eb79e8a3dda08ec3

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/15882
Submitter: prasad miriyala (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/15882
Committed: http://github.org/Juniper/contrail-server-manager/commit/30f90d4ab82a1c0c17420623d6794b570e70e358
Submitter: Zuul
Branch: master

commit 30f90d4ab82a1c0c17420623d6794b570e70e358
Author: Prasad Miriyala <email address hidden>
Date: Thu Dec 17 14:45:10 2015 -0800

Closes-Bug: #1522597, Server Manager support for tls certificate and key distribution
- enable server manager code to generate certs
- fix default names to match with puppet code
- Add fileserver.conf to support puppet cert link point

Change-Id: I14e7ff379ba0d6f3c3ace980ac5884450a658821

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/16323
Submitter: Abhay Joshi (<email address hidden>)

Revision history for this message
Nipa (nipak) wrote :

Hi Prasad/Abhay,

  1) Agent has two flags to be set in order to enable ssl based cert exchange with each of the other daemons I.e control-node and dns-server
xmpp_auth_enable=true (ssl based certificate exchange with control-node)
xmpp_dns_auth_enable=true (ssl based certificate exchange with dns-server)
2) control-node has a flag to enable authentication I.e "xmpp_auth_enable=true"
3) dns-server had a flag to enable authentication I.e "xmpp_auth_enable=true"

As discussed, let us generate certs and copy them to default location irrespective of the above flags. Please note in future other daemons will
Also enable ssl based authentication and will use the same cert, we will only use a flag for each of the daemons to enable authentication.

-nipa

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/16323
Submitter: Abhay Joshi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/16431
Submitter: Abhay Joshi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/16432
Submitter: Abhay Joshi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/16431
Submitter: Abhay Joshi (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/16432
Committed: http://github.org/Juniper/contrail-server-manager/commit/f6ba01a6463fa16c329881c8e93dfdcc52c50ed5
Submitter: Zuul
Branch: master

commit f6ba01a6463fa16c329881c8e93dfdcc52c50ed5
Author: Abhay Joshi <email address hidden>
Date: Fri Jan 22 14:32:52 2016 -0800

Closes-Bug: #1522597
Added one more flag for xmpp auth - xmpp_dns_auth_enable.

Change-Id: I2f8b1e6ecfbe7e9e970eb3b9e4805f09b2a9cf55

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/16431
Committed: http://github.org/Juniper/contrail-puppet/commit/631086ba665e91c398465ec1788ef0dc912cf5d8
Submitter: Zuul
Branch: master

commit 631086ba665e91c398465ec1788ef0dc912cf5d8
Author: Abhay Joshi <email address hidden>
Date: Tue Jan 26 07:49:36 2016 -0800

Closes-Bug: #1522597
1. One additional flag - xmpp_dns_auth_enable added.
2. creation of cert files made regardless of flag setting.

Change-Id: I9fe44493a88dfa1d1cd1f0ea21ef5e6e982c0332

Revision history for this message
prasad miriyala (pmiriyala) wrote :

Sample cluster json

root@a6s11:~# more /tmp/cluster.json
{
    "cluster": [
        {
            "id": "cluster_id",
            "parameters": {
                "xmpp_auth_enable": true,
                "xmpp_dns_auth_enable": true
            }
        }
    ]
}

Using server manager client, modify the cluster by using the above sample json

#1
Modify the cluster parameter
server-manager add cluster -f /tmp/cluster.json

#2
Then issue provisioning of the cluster to take it effect
server-manager provision --cluster_id <cluster_id> <contrail package id>

Revision history for this message
prasad miriyala (pmiriyala) wrote :

root@a6s11:~# more /tmp/cluster.json
{
    "cluster": [
        {
            "id": "cluster_id",
            "parameters": {
                "xmpp_auth_enable": "true",
                "xmpp_dns_auth_enable": "true"
            }
        }
    ]
}

#1
To modify cluster with xmpp auth parameters
server-manager add cluster -f /tmp/cluster.json

#2
To provision cluster
server-manager provision --cluster_id <cluster id> <contrail pkg id>

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/18181
Submitter: Nipa Kumar (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/18287
Submitter: Nipa Kumar (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/18181
Committed: http://github.org/Juniper/contrail-controller/commit/0f069388f2833d64175a9c81a7cc9a531129fb4e
Submitter: Zuul
Branch: master

commit 0f069388f2833d64175a9c81a7cc9a531129fb4e
Author: Nipa Kumar <email address hidden>
Date: Fri Mar 4 12:31:21 2016 -0800

Provide hints for flags to be configured in respective daemon .conf files.

Change-Id: Id378f09eaf6efcaa4b3ea6aaecbbcbb89f879003
Closes-Bug:1522597

Changed in juniperopenstack:
milestone: r3.0-fcs → r3.1.0.0-fcs
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/18287
Submitter: Nipa Kumar (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/18181
Committed: http://github.org/Juniper/contrail-controller/commit/0f069388f2833d64175a9c81a7cc9a531129fb4e
Submitter: Zuul
Branch: master

commit 0f069388f2833d64175a9c81a7cc9a531129fb4e
Author: Nipa Kumar <email address hidden>
Date: Fri Mar 4 12:31:21 2016 -0800

Provide hints for flags to be configured in respective daemon .conf files.

Change-Id: Id378f09eaf6efcaa4b3ea6aaecbbcbb89f879003
Closes-Bug:1522597

Changed in juniperopenstack:
milestone: none → r3.1.0.0-fcs
milestone: none → r3.1.0.0-fcs
OpenContrail Admin (ci-admin-f)
Changed in juniperopenstack:
milestone: none → r3.1.0.0-fcs
OpenContrail Admin (ci-admin-f)
Changed in juniperopenstack:
milestone: none → r3.1.0.0-fcs
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/18287
Committed: http://github.org/Juniper/contrail-controller/commit/474e678df27ef445cd6eb1d33720fcb5cefe119c
Submitter: Zuul
Branch: R3.0

commit 474e678df27ef445cd6eb1d33720fcb5cefe119c
Author: Nipa Kumar <email address hidden>
Date: Fri Mar 4 12:31:21 2016 -0800

Provide hints for flags to be configured in respective daemon .conf files.

Change-Id: Id378f09eaf6efcaa4b3ea6aaecbbcbb89f879003
Closes-Bug:1522597

Nagabhushana R (bhushana)
information type: Proprietary → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.