Configuring Secure Sandesh and Introspect for Contrail Analytics
Configuring Secure Sandesh Connection
All Contrail services use Sandesh, a southbound interface protocol based on Apache Thrift, to send analytics data such as system logs, object logs, UVEs, flow logs, and the like, to the collector service in the Contrail Analytics node. The Transport Layer Security (TLS) protocol is used for certificate exchange, mutual authentication, and negotiating ciphers to secure the Sandesh connection from potential tampering and eavesdropping.
To configure a secure Sandesh connection, configure the following parameters in all Contrail services that connect to the collector (Sandesh clients) and the Sandesh server.
Parameter |
Description |
Default |
|---|---|---|
|
Path to the node's private key |
/etc/contrail/ssl/private/server-privkey.pem |
|
Path to the node's public certificate |
/etc/contrail/ssl/certs/server.pem |
|
Path to the CA certificate |
/etc/contrail/ssl/certs/ca-cert.pem |
|
Enable or disable secure Sandesh connection |
false |
Configuring Secure Introspect Connection
All Contrail services are embedded with a web server that can be used to query the internal state of the data structures, view trace messages, and perform other extensive debugging. The Transport Layer Security (TLS) protocol is used for certificate exchange, mutual authentication, and negotiating ciphers to secure the introspect connection from potential tampering and eavesdropping.
To configure a secure introspect connection, configure the following parameters in the Contrail service, see Table 1.
Parameter |
Description |
Default |
|---|---|---|
|
Path to the node's private key. |
/etc/contrail/ssl/private/server-privkey.pem |
|
Path to the node's public certificate. |
/etc/contrail/ssl/certs/server.pem |
|
Path to the CA certificate. |
/etc/contrail/ssl/certs/ca-cert.pem |
|
Enable or disable secure introspect connection. |
false |