.. _Securing OpenStack API Traffic with SSL:

Securing OpenStack API Traffic with SSL
---------------------------------------

By means of the **Compute API** traffic type, |product_name| exposes a public endpoint that listens to OpenStack API requests. By default, it points to the IP address of the management node (or to its virtual IP address if high availability is enabled).

Traffic to and from the endpoint can be secured with an SSL certificate. However, as domain names are not used by default, the certificate will need a ``subjectAltName`` field containing the aforementioned management node IP address. If it does not have such a field, you will need to modify the public endpoint to use a domain name that you have a certificate for.

To secure public OpenStack API traffic with SSL, do the following:

#. Upload the certificate and then private key in the admin panel, on the **SETTINGS** > **Management node** > **SSL ACCESS** screen.

#. Place the CA certificate file to operating system's trusted bundle:

   ::
   
       # cp ca.pem /etc/pki/ca-trust/source/anchors/
       # update-ca-trust extract

   Alternatively, you can append the ``--os-cacert ca.pem`` option to each OpenStack client call.

#. If your certificate does not have the ``subjectAltName`` field, modify all public endpoints to use the domain name for which you have the certificate for. This domain name must resolve to the management node IP address (or to its virtual IP address if high availability is enabled). For example:

   ::

       # openstack --insecure endpoint list | grep public
       | 44aa0f53a40e4e52b1c7eeeb20c7811e | <...> | https://10.94.16.12:8774/v2.1/%(tenant_id)s |
       | 5a845b4b813047c292db73c42dad5efd | <...> | https://10.94.16.12:8780                    |
       | 0b906e518b1041c8b94af7f410403369 | <...> | https://10.94.16.12:9696                    |
       | d80af756adf1449f9237c3aeebc9206a | <...> | https://10.94.16.12:8004/v1/%(tenant_id)s   |
       | d0e8c7da7d174e1f9aa4efbc6dff2113 | <...> | https://10.94.16.12:5000/v3                 |
       | 0e6d3a39d6c44aa883984a35dde434bb | <...> | https://10.94.16.12:9292                    |
       | 7d901686bca549f9b294e572f046f634 | <...> | https://10.94.16.12:8776/v2/%(tenant_id)s   |
       | 1b68ac7c3f7949fbaeef4a815fe6f3b1 | <...> | https://10.94.16.12:8776/v3/%(tenant_id)s   |

       # openstack --insecure endpoint set \
       --url https://<DNS_name>:8774/v2.1/%(tenant_id)s 44aa0f53a40e4e52b1c7eeeb20c7811e
       # openstack --insecure endpoint set \
       --url https://<DNS_name>:8780 5a845b4b813047c292db73c42dad5efd
       # openstack --insecure endpoint set \
       --url https://<DNS_name>:9696 0b906e518b1041c8b94af7f410403369
       # openstack --insecure endpoint set \
       --url https://<DNS_name>:8004/v1/%(tenant_id)s d80af756adf1449f9237c3aeebc9206a
       # openstack --insecure endpoint set \
       --url https://<DNS_name>:5000/v3 d0e8c7da7d174e1f9aa4efbc6dff2113
       # openstack --insecure endpoint set \
       --url https://<DNS_name>:9292 0e6d3a39d6c44aa883984a35dde434bb
       # openstack --insecure endpoint set \
       --url https://<DNS_name>:8776/v2/%(tenant_id)s 7d901686bca549f9b294e572f046f634
       # openstack --insecure endpoint set \
       --url https://<DNS_name>:8776/v3/%(tenant_id)s 1b68ac7c3f7949fbaeef4a815fe6f3b1

#. In your OpenRC script, change ``OS_AUTH_URL`` to the same domain name and remove all parameters related to insecure access. For example:

   ::

       export OS_PROJECT_DOMAIN_NAME=Default
       export OS_USER_DOMAIN_NAME=Default
       export OS_PROJECT_NAME=admin
       export OS_USERNAME=admin
       export OS_PASSWORD=<ADMIN_PASSWORD>
       export OS_AUTH_URL=https://<DOMAIN_NAME>:5000/v3
       export OS_IDENTITY_API_VERSION=3

Now you can run OpenStack commands without the ``--insecure`` option.