Enabling Https on tendrl server

Enabling HTTPS for Tendrl-UI, Tendrl-API and Grafana

This wikipage describes how to set up SSL access for Tendrl Web UI, Tendrl REST API and Grafana based dashboard.

Overview of the solution

Tendrl Web, API and Grafana dashboard, which are provided by apache server, will be secured with SSL by reconfiguration of apache.
Access to unencrypted http port is redirected to encrypted https port.
Tendrl contains sample configuration files for apache to simplify the SSL setup.
Nothing else is secured or restricted compared to default setup without HTTPS enabled.

Pre-requisites:

Package mod_ssl is installed and the default configuration in /etc/httpd/conf.d/ssl.conf is left unmodified.
SSL key and certificate files are deployed on the Tendrl server. For testing purposes, one can use local self signed key and certificate pair created during installation of mod_ssl package (file paths for this option are used as a default in tendrl ssl sample config file).

Known Limitations

Access to Grafana dashboard is not authenticated, so that anyone who can access Tendrl web login page can also access and read all panels in Tendrl dashboard without any password (and learn about cluster structure, current workload and historic trends). This is happening because Tendrl uses anonymous access to Grafana main dashboard.
Tendrl server is listening on few other ports, which are not secured and which are needed for internal communication (eg. to receive metrics data from storage machines). The only other component of Tendrl stack which can be protected via SSL is Etcd, as described in wikipage Etcd SSL enabling using tendrl-ansible.

Deployment Instructions

On a machine where Tendrl server is installed, perform the following steps:

Make sure mod_ssl rpm package is installed and /etc/httpd/conf.d/ssl.conf file is not modified:
```
# rpm -V mod_ssl
#
```

Create new 00_tendrl-ssl.conf file using the sample configuration file:

# cp /etc/httpd/conf.d/00_tendrl-ssl.conf.sample /etc/httpd/conf.d/00_tendrl-ssl.conf

Make the following changes to the 00_tendrl-ssl.conf file:
- Set ServerName to hostname (fqdn) of Tendrl server.
- Edit the file path for the SSLCertificateFile variable if you want to use your own certificate instead of default self-signed /etc/pki/tls/certs/localhost.crt generated by mod_ssl.
- Edit the file path for the SSLCertificateKeyFile variable if you have changed cert file in the previous step. The default value points to /etc/pki/tls/private/localhost.key file generated by mod_ssl.
Make the following changes to the tendrl.conf file (this is necessary for http redirection to work):
- Un-comment the line which has the Redirect rule and replace %ssl_virtualhost_fqdn% with fully qualified domain name of Tendrl server.
- Comment out the lines which have the DocumentRoot, ProxyPass and ProxyPassReverse directives.
Thereafter, check if the configuration is valid using apachectl -t and reload httpd using systemctl reload httpd.service.
Make sure https port is open:
```
# firewall-cmd --add-service=https
# firewall-cmd --add-service=https --permanent
```
See Firewall Configuration section for more details (especially if you are using iptables or firewalld zones).

If you have a web browser open with Tendrl web or Grafana dashboard during this procedure, you will need to reload the page. This step is important especially if you use self signed SSL certificates.

Enabling Https on tendrl server

Enabling HTTPS for Tendrl-UI, Tendrl-API and Grafana

Overview of the solution

Pre-requisites:

Known Limitations

Deployment Instructions

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally