Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1693982 - [gluster-ansible] Enable RHGS SSL/TLS encryption with CA signed certs
Summary: [gluster-ansible] Enable RHGS SSL/TLS encryption with CA signed certs
Keywords:
Status: POST
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: gluster-ansible
Version: rhgs-3.4
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: Sachidananda Urs
QA Contact: SATHEESARAN
URL:
Whiteboard:
Depends On:
Blocks: 1693990
TreeView+ depends on / blocked
 
Reported: 2019-03-29 08:28 UTC by SATHEESARAN
Modified: 2019-04-11 07:55 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1693990 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description SATHEESARAN 2019-03-29 08:28:16 UTC
Description of problem:
-----------------------
RHGS supports SSL/TLS encryption and gluster-ansible should help in setting up such encryption using CA signed certs

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
RHGS 3.4.4
gluster-ansible-roles-1.0.4-4

How reproducible:
-----------------
Not Applicable

Steps to Reproduce:
-------------------
Not applicable

Actual results:
---------------
No way to enable RHGS SSL/TLS encryption using CA signed certs using gluster-ansible

Expected results:
-----------------
Provide a way to enable RHGS SSL/TLS encryption using CA signed certs

Comment 1 SATHEESARAN 2019-03-29 08:32:30 UTC
In this case, its expected that the user has got the CA signed certs already in place.

Pre-requisites
--------------
User should have CA signed certs - glusterfs.pem under /etc/ssl/
Other files in this location are :
     glusterfs.key - Hosts private key
     glusterfs.ca - Public key ( cert ) of CA

Following are the changes that needs to be done by gluster-ansible:
1. Create a file - /var/lib/glusterd/secure-access - that enables encryption on the management layer
2. Restart glusterd
3. On the volumes, set the volume options:
        server.ssl=on 
        client.ssl=on
        auth.ssl-allow=<CN_of_host1>, <CN_of_host2>, etc
            Note: CN is the common name of the host used during certificate generation
5. Restart volumes if they are already started. Its better to set the options before starting the volume.

Make sure, all these changes happen before creating the gluster cluster, Trusted Storage Pool

Comment 2 SATHEESARAN 2019-04-03 12:35:39 UTC
@Sachi,
Before acking this bug, I wanted to sort of out the clarity on setting up CA signed certs
Did you consider the complexity to support SSL/TLS encryption with  CA signed certs ?

Pre-requisites for such encryption:
1. Private key ( glusterfs.key ) - This should not be circulated around or exposed
2. Public key/Certificate ( glusterfs.pem ) - Can be exposed
3. CA certificate/CA's public key ( glusterfs.ca ) - Can be exposed


Note You need to log in before you can comment on or make changes to this bug.