Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Encryption Between Analytics API Servers and Client Servers

 

Contrail Networking Release 1910 supports SSL encryption for the connection between Analytics API servers and Client servers. The Client servers are Service Monitor and Contrail Command, which connects to the Analytics API server through the REST API Port. In releases prior to release 1910, the connection between Analytics API servers and the Client servers was not encrypted, which could pose a security threat.

SSL encryption is supported in Contrail Networking Release 1910 only when Contrail Networking is deployed with Red Hat OpenStack Platform (RHOSP). In the RHOSP deployment, a global flag is added, which determines the status of the SSL encryption.

If the global flag is enabled:

  • You do not have to modify the configuration files as SSL encryption is automatically enabled.

  • You must modify the configuration files if you want to disable SSL encryption.

If the global flag is disabled:

  • You do not have to modify the configuration files as SSL encryption is automatically disabled.

  • You cannot enable SSL encryption, even if you modify the configuration files. The certificates are not generated during deployment as the global flag is disabled.

The configuration files are contrail-analytics-api.conf, contrail-svc-monitor.conf, and command_servers.yml. In the configuration files, modify the following parameters in the Table 1 below to enable or disable SSL based encryption:

Table 1: SSL Encryption Parameters

Parameters

Description

Default

analytics_api_ssl_enable

Enables or disables support for SSL encryption between Analytics API server and Client server.

If the value is assigned TRUE: Support for SSL encryption is enabled.

If the value is assigned FALSE: Support for SSL encryption is not enabled and the Analytics API server does not accept HTTPS requests.

analytics_api_insecure_enable

Enables or disables support for required certificates in HTTPS requests.

If the value is assigned TRUE: HTTPS connection is supported without the certificates.

If the value is assigned FALSE: HTTPS connection is not supported without the certificates.

analytics_api_ssl_keyfile

Path to the node’s private key.

/etc/contrail/ssl/private/server-privkey.pem

analytics_api_ssl_certfile

Path to the node's public certificate.

/etc/contrail/ssl/certs/server.pem

analytics_api_ssl_ca_cert

Path to the CA certificate

/etc/ipa/ca.crt

Once these parameters are configured, the Analytics API server starts using SSL certificates, which enables SSL encryption support for connection between Analytics API servers and Client servers.

Release History Table
Release
Description
Contrail Networking Release 1910 supports SSL encryption for the connection between Analytics API servers and Client servers.