1417210 – [Doc RFE] [HCI] Document how to configure encryption (during deployment)

Bug 1417210 - [Doc RFE] [HCI] Document how to configure encryption (during deployment)

Summary: [Doc RFE] [HCI] Document how to configure encryption (during deployment)

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	Documentation
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Laura Bailey
QA Contact:	RamaKasturi
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1429427 (view as bug list)
Depends On:
Blocks:	Gluster-HC-2
TreeView+	depends on / blocked

Reported:	2017-01-27 14:35 UTC by Anjana Suparna Sriram
Modified:	2017-09-01 06:42 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-29 04:13:05 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Anjana Suparna Sriram 2017-01-27 14:35:27 UTC

Additional information: New documentation includes:

- Using gdeploy to configure SSL during installation
- Configuring SSL to use existing certificates
- Configuring SSL on an existing installation

Comment 8 SATHEESARAN 2017-03-16 02:32:43 UTC

Just gathering the comments from comment6 ( from Kasturi ) and so that it becomes easy for reviewing.

<content>

To enable RHGS SSL/TLS encryption during the Gluster deployment using cockpit,  make the following changes to the generated gdeploy configuration file by selecting 'Edit' button on the 'Review' Tab of cockpit UI

1. Edit the [volume1] section to have additional options

[volume1]
enable_ssl=yes
ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3>

2. Edit the [volume2] and [volume3] sections to have the additional options

[volume2]
key=client.ssl,server.ssl,auth.ssl-allow
value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"

[volume3]
key=client.ssl,server.ssl,auth.ssl-allow
value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"

</content>

@Kasturi, does the above content look good ?

Comment 9 SATHEESARAN 2017-03-16 02:36:32 UTC

(In reply to SATHEESARAN from comment #8)
> Just gathering the comments from comment6 ( from Kasturi ) and so that it
> becomes easy for reviewing.
> 
> <content>
> 
> To enable RHGS SSL/TLS encryption during the Gluster deployment using
> cockpit,  make the following changes to the generated gdeploy configuration
> file by selecting 'Edit' button on the 'Review' Tab of cockpit UI
> 
> 1. Edit the [volume1] section to have additional options
> 
> [volume1]
> enable_ssl=yes
> ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3>
> 
> 2. Edit the [volume2] and [volume3] sections to have the additional options
> 
> [volume2]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> [volume3]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> </content>
> 
> @Kasturi, does the above content look good ?

One more information:

To begin with, we should have a NOTE to share the information that this configuration will use self-signed certs ( valid for 1 year ) for SSL/TLS based encryption. If user has got his own CA, then he needs to setup the SSL/TLS outside of Gluster deployment, following chapter in RHGS Admin guide

Comment 11 RamaKasturi 2017-03-16 06:58:20 UTC

(In reply to SATHEESARAN from comment #8)
> Just gathering the comments from comment6 ( from Kasturi ) and so that it
> becomes easy for reviewing.
> 
> <content>
> 
> To enable RHGS SSL/TLS encryption during the Gluster deployment using
> cockpit,  make the following changes to the generated gdeploy configuration
> file by selecting 'Edit' button on the 'Review' Tab of cockpit UI
> 
> 1. Edit the [volume1] section to have additional options
> 
> [volume1]
> enable_ssl=yes
> ssl_clients=<Gluster_Network_IP1>,<Gluster_Network_IP2>,<Gluster_Network_IP3>
> 
> 2. Edit the [volume2] and [volume3] sections to have the additional options
> 
> [volume2]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> [volume3]
> key=client.ssl,server.ssl,auth.ssl-allow
> value=on,on,"<Gluster_IP_Host1>;<Gluster_IP_Host2>;<Gluster_IP_Host3>"
> 
> </content>
> 
> @Kasturi, does the above content look good ?

sas, yes it does look good

Comment 12 RamaKasturi 2017-03-16 07:02:21 UTC

Laura, i heard that mostly customers will have there own certificate authority-issued certs. It is very less that one would use self-signed.

changes in comment 10 looks good to me.

Comment 25 RamaKasturi 2017-03-20 13:34:55 UTC

Laura, since enabling SSL with CA signed certs on HCI stack  can't be done through gdeploy user has to follow the manual steps listed at doc [1]. We can  provide this info in our Grafton doc where we have a section to configure HCI stack using CA signed certs. 

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3.1/html-single/Administration_Guide/index.html#chap-Network_Encryption-New_Pool

Comment 27 SATHEESARAN 2017-03-23 06:54:03 UTC

*** Bug 1429427 has been marked as a duplicate of this bug. ***

Comment 32 RamaKasturi 2017-03-28 12:08:17 UTC

1) Can we add a step to restart glusterd after step2 in A.1.2 section.

other than this everything looks good. Any reason why this section is put in appendix ?

Comment 36 RamaKasturi 2017-04-04 05:10:21 UTC

configuring encryption section looks good to me. Marking this verified.

Comment 37 Laura Bailey 2017-08-29 04:13:05 UTC

Fixed in RHGS 3.3 documentation.

Note You need to log in before you can comment on or make changes to this bug.