Open Stack

On 10/29/2013 02:23 PM, Bryan D. Payne wrote:
> > Certmonger is supported on both RHEL and Debian based systems, and 
> is easily
> > portable to others.  What is essential is identification of what 
> additional Certificate
> > Authority protocols it needs to support.
>
> Sorry, I was referring to OpenStack distros, not Linux distros. 
>  Basically I think that everyone has slightly different tooling around 
> how they handle HTTPS termination (stud, pound, Apache, etc) and each 
> of these would have slightly different needs for orchestration of the 
> certs and such.  Traditionally, this has been done outside of the 
> OpenStack projects and has been more distro specific.  But, perhaps we 
> are approaching the time for some of that to be more fully integrated 
> into the OpenStack projects themselves.  Certainly a conversation 
> worth having.
Even the SSL Termination tools do not typically handle Certificates, 
just punt to some other tooling.  I was thinking Devstack as a starting 
point, though, for TLS.

Thereare a handful of PKI uses inside of openstack that would be better 
served by X509, such as the SSH to the VMs...raw public keys have no 
expiry or revocation.  Any encryption that we are doing inside of OS at 
the application level, as I pointed out before, should also be using 
X509.  AMQP traffic, traffic between App server and database, and LDAP 
should all be passed over TLS, and this is indie the datacenter, so 
hardware termination is usually not appropriate.

We need an approach for SSL everywhere:  it is one of the issues rasied 
in the security guide.  Thus, the default deployment needs to show how 
to set that up.


>
> Cheers,
> -bryan