64b6c9261e
Current folder name New folder name Book title ---------------------------------------------------------- basic-install DELETE cli-guide DELETE common common NEW admin-guide-cloud Cloud Administrators Guide docbkx-example DELETE openstack-block-storage-admin DELETE openstack-compute-admin DELETE openstack-config config-reference OpenStack Configuration Reference openstack-ha high-availability-guide OpenStack High Availabilty Guide openstack-image image-guide OpenStack Virtual Machine Image Guide openstack-install install-guide OpenStack Installation Guide openstack-network-connectivity-admin admin-guide-network OpenStack Networking Administration Guide openstack-object-storage-admin DELETE openstack-security security-guide OpenStack Security Guide openstack-training training-guide OpenStack Training Guide openstack-user user-guide OpenStack End User Guide openstack-user-admin user-guide-admin OpenStack Admin User Guide glossary NEW OpenStack Glossary bug: #1220407 Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7 author: diane fleming
134 lines
11 KiB
XML
134 lines
11 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch038_transport-security"><?dbhtml stop-chunking?>
|
||
<title>Messaging Security</title>
|
||
<para>This chapter discusses security hardening approaches for the three most common message queuing solutions use in OpenStack: RabbitMQ, Qpid, and ZeroMQ.</para>
|
||
<section xml:id="ch038_transport-security-idp37712">
|
||
<title>Messaging Transport Security</title>
|
||
<para>AMQP based solutions (Qpid and RabbitMQ) support transport-level security using SSL. ZeroMQ messaging does not natively support SSL, but transport-level security is possible using labelled IPSec or CIPSO network labels.</para>
|
||
<para>We highly recommend enabling transport-level cryptography for your message queue. Using SSL for the messaging client connections provides protection of the communications from tampering and eavesdropping in-transit to the messaging server. Below is guidance on how SSL is typically configured for the two popular messaging servers Qpid and RabbitMQ. When configuring the trusted certificate authority (CA) bundle that your messaging server uses to verify client connections, it is recommended that this be limited to only the CA used for your nodes, preferably an internally managed CA. The bundle of trusted CAs will determine which client certificates will be authorized and pass the client-server verification step of the setting up the SSL connection. Note, when installing the certificate and key files, ensure that the file permissions are restricted, for example chmod 0600, and the ownership is restricted to the messaging server daemon user to prevent unauthorized access by other processes and users on the messaging server.</para>
|
||
<section xml:id="ch038_transport-security-idp40512">
|
||
<title>RabbitMQ Server SSL Configuration</title>
|
||
<para>The following lines should be added to the system-wide RabbitMQ configuration file, typically /etc/rabbitmq/rabbitmq.config:</para>
|
||
<screen>
|
||
[
|
||
{rabbit, [
|
||
{tcp_listeners, [] },
|
||
{ssl_listeners, [{"<ip address or hostname of management network interface", 5671}] },
|
||
{ssl_options, [{cacertfile,"/etc/ssl/cacert.pem"},
|
||
{certfile,"/etc/ssl/rabbit-server-cert.pem"},
|
||
{keyfile,"/etc/ssl/rabbit-server-key.pem"},
|
||
{verify,verify_peer},
|
||
{fail_if_no_peer_cert,true}]}
|
||
]}
|
||
].</screen>
|
||
<para>Note, the 'tcp_listeners' option is set to '[]' to prevent it from listening an on non-SSL port. 'ssl_listeners' option should be restricted to only listen on the management network for the services.</para>
|
||
<para>For more information on RabbitMQ SSL configuration see:</para>
|
||
<itemizedlist><listitem>
|
||
<para><link xlink:href="http://www.rabbitmq.com/configure.html">RabbitMQ Configuration</link></para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><link xlink:href="http://www.rabbitmq.com/ssl.html">RabbitMQ SSL</link></para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp46320">
|
||
<title>Qpid Server SSL Configuration</title>
|
||
<para>The Apache Foundation has a messaging security guide for Qpid. See:</para>
|
||
<itemizedlist><listitem>
|
||
<para><link xlink:href="http://qpid.apache.org/books/0.22/AMQP-Messaging-Broker-CPP-Book/html/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Encryption_using_SSL">Apache Qpid SSL</link></para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp48960">
|
||
<title>Queue Authentication and Access Control</title>
|
||
<para>RabbitMQ and Qpid offer authentication and access control mechanisms for controlling access to queues. ZeroMQ offers no such mechanisms.</para>
|
||
<para>Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. Both RabbitMQ and Qpid offer SASL and other pluggable authentication mechanisms beyond simple usernames and passwords that allow for increased authentication security. While RabbitMQ supports SASL, support in OpenStack does not currently allow for requesting a specific SASL authentication mechanism. RabbitMQ support in OpenStack allows for either username and password authentication over an unencrypted connection or username and password in conjunction with X.509 client certificates to establish the secure SSL connection.</para>
|
||
<para>We recommend configuring X.509 client certificates on all the OpenStack service nodes for client connections to the messaging queue and where possible (currently only Qpid) perform authentication with X.509 client certificates. When using usernames and passwords, accounts should be created per-service and node for finer grained auditability of access to the queue.</para>
|
||
<para>The SSL libraries in use by these queuing servers should also be considered prior to deployment. Qpid uses Mozilla's NSS library, whereas RabbitMQ uses Erlang's SSL module which uses OpenSSL.</para>
|
||
<section xml:id="ch038_transport-security-idp52640">
|
||
<title>Authentication Configuration Example - RabbitMQ</title>
|
||
<para>On the RabbitMQ server, delete the default 'guest' user:</para>
|
||
<screen>
|
||
rabbitmqctl delete_user quest</screen>
|
||
<para>On the RabbitMQ server, for each OpenStack service or node that communicates with the message queue set up user accounts and privileges:</para>
|
||
<screen>
|
||
rabbitmqctl add_user compute01 password
|
||
rabbitmqctl set_permissions compute01 ".*"".*"".*"</screen>
|
||
<para>For additional configuration information see:</para>
|
||
<itemizedlist><listitem>
|
||
<para><link xlink:href="http://www.rabbitmq.com/access-control.html">RabbitMQ Access Control</link></para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><link xlink:href="http://www.rabbitmq.com/authentication.html">RabbitMQ Authentication</link></para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><link xlink:href="http://www.rabbitmq.com/plugins.html">RabbitMQ Plugins</link></para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><link xlink:href="http://hg.rabbitmq.com/rabbitmq-auth-mechanism-ssl/file/rabbitmq_v3_1_3/README">RabbitMQ SASL External Auth</link></para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp59648">
|
||
<title>OpenStack Service Configuration - RabbitMQ</title>
|
||
<screen>
|
||
[DEFAULT]
|
||
rpc_backend=nova.openstack.common.rpc.impl_kombu
|
||
rabbit_use_ssl=True
|
||
rabbit_host=
|
||
rabbit_port=5671
|
||
rabbit_user=compute01
|
||
rabbit_password=password
|
||
kombu_ssl_keyfile=/etc/ssl/node-key.pem
|
||
kombu_ssl_certfile=/etc/ssl/node-cert.pem
|
||
kombu_ssl_ca_certs=/etc/ssl/cacert.pem</screen>
|
||
<para>NOTE: A bug exists in the current version of OpenStack Grizzly where if 'kombu_ssl_version' is currently specified in the configuration file for any of the OpenStack services it will cause the following python traceback error: 'TypeError: an integer is required'. The current workaround is to remove 'kombu_ssl_version' from the configuration file. Refer to <link xlink:href="https://bugs.launchpad.net/oslo/+bug/1195431">bug report 1195431</link> for current status.</para>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp62112">
|
||
<title>Authentication Configuration Example - Qpid</title>
|
||
<para>For configuration information see:</para>
|
||
<itemizedlist><listitem>
|
||
<para><link xlink:href="http://qpid.apache.org/books/0.22/AMQP-Messaging-Broker-CPP-Book/html/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-User_Authentication">Apache Qpid Authentication</link></para>
|
||
</listitem>
|
||
<listitem>
|
||
<para><link xlink:href="http://qpid.apache.org/books/0.22/AMQP-Messaging-Broker-CPP-Book/html/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Authorization">Apache Qpid Authorization</link></para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp65584">
|
||
<title>OpenStack Service Configuration - Qpid</title>
|
||
<screen>
|
||
[DEFAULT]
|
||
rpc_backend=nova.openstack.common.rpc.impl_qpid
|
||
qpid_protocol=ssl
|
||
qpid_hostname=<ip or hostname of management network interface of messaging server>
|
||
qpid_port=5671qpid_username=compute01
|
||
|
||
qpid_password=password</screen>
|
||
<para>Optionally, if using SASL with Qpid specify the SASL mechanisms in use by adding:</para>
|
||
<screen>
|
||
qpid_sasl_mechanisms=<space separated list of SASL mechanisms to use for auth></screen>
|
||
</section>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp68512">
|
||
<title>Message Queue Process Isolation & Policy</title>
|
||
<para>Each project provides a number of services which send and consume messages. Each binary which sends a message is expected to consume messages, if only replies, from the queue.</para>
|
||
<para>Message queue service processes should be isolated from each other and other processes on a machine.</para>
|
||
<section xml:id="ch038_transport-security-idp70304">
|
||
<title>Namespaces</title>
|
||
<para>Network namespaces are highly recommended for all services running on OpenStack Compute Hypervisors. This will help prevent against the bridging of network traffic between VM guests and the management network.</para>
|
||
<para>When using ZeroMQ messaging, each host must run at least one ZeroMQ message receiver to receive messages from the network and forward messages to local processes via IPC. It is possible and advisable to run an independent message receiver per project within an IPC namespace, along with other services within the same project.</para>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp72736">
|
||
<title>Network Policy</title>
|
||
<para>Queue servers should only accept connections from the management network. This applies to all implementations. This should be implemented through configuration of services and optionally enforced through global network policy.</para>
|
||
<para>When using ZeroMQ messaging, each project should run a separate ZeroMQ receiver process on a port dedicated to services belonging to that project. This is equivalent to the AMQP concept of control exchanges.</para>
|
||
</section>
|
||
<section xml:id="ch038_transport-security-idp74736">
|
||
<title>Mandatory Access Controls</title>
|
||
<para>The configuration for these processes should be restricted to those processes, not only by Directory Access Controls, but through Mandatory Access Controls. The goal of such restrictions is to prevent isolation from other processes running on the same machine(s).</para>
|
||
</section>
|
||
</section>
|
||
</chapter>
|