Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Certificate Lifecycle Management Using Red Hat Identity Management

 

Contrail Networking Release 5.1 supports using Transport Layer Security (TLS) with RHOSP to perform lifecycle management, including renewal, expiration, and revocation, of certificates using Red Hat Identity Management (IdM). Because IdM uses fully qualified domain names (FQDNs) to manage endpoints instead of IP addresses, Contrail Networking services are also enhanced to use FQDNs.

Prior to Contrail Networking Release 5.1, lifecycle management of certificates was done manually.

Fully Qualified Domain Names

Contrail Networking Release 5.1 is integrated with IdM to perform lifecycle management of certificates. Contrail Networking services are also enhanced to use FQDNs in the following scenarios:

  • Establishing connections between Contrail Networking components

  • Input parameters for Contrail Docker container instead of IP addresses

  • Contrail TripleO Heat Templates pass FQDNs instead of IP addresses for configuration of Contrail Networking containers using only TLS. You can configure TripleO Heat Templates to pass FQDNs without TLS by setting the contrail_nodes_param_suffux: ‘node_names’ option.

  • Certificates are issued for every Contrail Networking node and stored in the /etc/contrail/ssl folder which is mounted on all Docker containers

Performing Lifecycle Management of Certificates using Identity Management

Perform the following steps to install the IdM server and manage certificates.

  1. Deploy and configure IdM server.

    For information on installing an IdM server, see Installing an IdM Server: Introduction.

  2. Before deploying the undercloud, set up the novajoin plugin on the undercloud node.
    $ sudo yum install python-novajoin
    $ sudo /usr/libexec/novajoin-ipa-setup \
    --principal admin \
    --password <IdM admin password> \
    --server <IdM server hostname> \
    --realm <overcloud cloud domain (in upper case)> \
    --domain <overcloud cloud domain> \
    --hostname <undercloud hostname> \
    --precreate
  3. Prepare the undercloud configuration.
  4. Check if firewalld is enabled on the IPA (Identity, Policy, Audit) server and the required ports are allowed.

    If firewalld is not installed, the undercloud installation will fail. To install firewalld, use the following command:

  5. Deploy the undercloud.
  6. (Optional) Check the following services:
  7. Configure overcloud DNS and overcloud domain names.
  8. Add overcloud domain names to the contrail-net.yaml environment file.
  9. Deploy overcloud with the following environment files.

    The contrail-net.yaml, enable-internal-tls.yaml, tls-everywhere-endpoints-dns.yaml, haproxy-internal-tls-certmonger.yaml, and haproxy-public-tls-certmonger.yaml files enable TLS.

  10. Check that the host is added to the IPA server.
  11. View the list of monitored certificates on an overcloud node.