Encryption Between Analytics API Servers and Client Servers
Contrail Networking Release 1910 supports SSL encryption for the connection between Analytics API servers and Client servers. The Client servers are Service Monitor and Contrail Command, which connects to the Analytics API server through the REST API Port. In releases prior to release 1910, the connection between Analytics API servers and the Client servers was not encrypted, which could pose a security threat.
SSL encryption is supported in Contrail Networking Release 1910 only when Contrail Networking is deployed with Red Hat OpenStack Platform (RHOSP). In the RHOSP deployment, a global flag is added, which determines the status of the SSL encryption.
If the global flag is enabled:
You do not have to modify the configuration files as SSL encryption is automatically enabled.
You must modify the configuration files if you want to disable SSL encryption.
If the global flag is disabled:
You do not have to modify the configuration files as SSL encryption is automatically disabled.
You cannot enable SSL encryption, even if you modify the configuration files. The certificates are not generated during deployment as the global flag is disabled.
The configuration files are contrail-analytics-api.conf, contrail-svc-monitor.conf, and command_servers.yml. In the configuration files, modify the following parameters in the Table 1 below to enable or disable SSL based encryption:
Table 1: SSL Encryption Parameters
Enables or disables support for SSL encryption between Analytics API server and Client server.
If the value is assigned TRUE: Support for SSL encryption is enabled.
If the value is assigned FALSE: Support for SSL encryption is not enabled and the Analytics API server does not accept HTTPS requests.
Enables or disables support for required certificates in HTTPS requests.
If the value is assigned TRUE: HTTPS connection is supported without the certificates.
If the value is assigned FALSE: HTTPS connection is not supported without the certificates.
Path to the node’s private key.
Path to the node's public certificate.
Path to the CA certificate
Once these parameters are configured, the Analytics API server starts using SSL certificates, which enables SSL encryption support for connection between Analytics API servers and Client servers.