Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518218 - [Docs][Hardening] Misleading information in Configuring the Database to use SSL doc
Summary: [Docs][Hardening] Misleading information in Configuring the Database to use S...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.8.0
Hardware: All
OS: All
high
high
Target Milestone: GA
: 5.9.0
Assignee: Dayle Parker
QA Contact: Suyog Sainkar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-28 12:47 UTC by Neha Chugh
Modified: 2018-02-23 00:16 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-23 00:16:30 UTC
Category: ---
Cloudforms Team: CFME Core


Attachments (Terms of Use)

Description Neha Chugh 2017-11-28 12:47:19 UTC
Document URL:
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html-single/appliance_hardening_guide/#chap_red_hat_cloudforms_security_guide_setting_ssl_for_the_database_appliance
 

Section Number and Name: 
4.2. Configuring the Database to use SSL


Describe the issue: 
1. Definition of root.crt.
Our document states that;
"/var/www/miq/vmdb/certs/root.crt - The root certificate for Red Hat CloudForms database server appliance. You can either use a self-signed certificate or a certificate signed by a trusted CA to generate your root certificate."

To be exact, it is the root ca certificate that was used to sign database ca cert.

Also, step 5;
"Install the database appliance certificate file as the root certificate in the correct location and set the ownership and permissions for it:

[root@{productname_short_l}2 ~]# install -m 644 -o postgres -g postgres /var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/root.crt"
Is only correct if you are using self-signed cert.
It needs to be clear on if you are using 3rd party certificate, you need to install the proper root CA cert.


2. cloudforms 4.5 uses postgresql 9.5 not 9.4.
All the refrences to 9.4 should be changed to 9.5.


Suggestions for improvement: 

Additional information:

Comment 2 Dayle Parker 2018-01-03 05:18:40 UTC
Created attachment 1376128 [details]
Revised section for "Configuring the Database to use SSL"

Hi Neha,

Thanks for providing these details. I've made the changes requested (except for in step 5, where I had a further question, below). Please let me know if you have further feedback as well.

Thank you,
Dayle

(In reply to Neha Chugh from comment #0)

> 1. Definition of root.crt.
> Our document states that;
> "/var/www/miq/vmdb/certs/root.crt - The root certificate for Red Hat
> CloudForms database server appliance. You can either use a self-signed
> certificate or a certificate signed by a trusted CA to generate your root
> certificate."
> 
> To be exact, it is the root ca certificate that was used to sign database ca
> cert.

I've changed this to:

"The root CA certificate used to sign the CloudForms database appliance CA certificate. You can either use a self-signed certificate or a certificate signed by a trusted CA to generate your root certificate."

> 
> Also, step 5;
> "Install the database appliance certificate file as the root certificate in
> the correct location and set the ownership and permissions for it:
> 
> [root@{productname_short_l}2 ~]# install -m 644 -o postgres -g postgres
> /var/www/miq/vmdb/certs/server.cer /var/www/miq/vmdb/certs/root.crt"
> Is only correct if you are using self-signed cert.
> It needs to be clear on if you are using 3rd party certificate, you need to
> install the proper root CA cert.
> 

What is the command/steps to install the root CA certificate when using a 3rd party cert? I will add this to step 5 where it says "COMMAND NEEDED". Please let me know what you think of this change in the attached PDF.

> 
> 2. cloudforms 4.5 uses postgresql 9.5 not 9.4.
> All the refrences to 9.4 should be changed to 9.5.

All fixed.

Comment 7 Dayle Parker 2018-02-23 00:16:30 UTC
Thanks for reviewing, Suyog!

This update is now live in the 4.5 version of this guide:
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html-single/appliance_hardening_guide/#chap_red_hat_cloudforms_security_guide_setting_ssl_for_the_database_appliance

It will also appear in future docs versions.


Note You need to log in before you can comment on or make changes to this bug.