End To End Encryption With OpenShift Part 1: Two-Way SSL
This is the first part of a 2 part article, part 2 (End To End Encryption With OpenShift Part 2: Re-encryption) will be authored by Matyas Danter, Sr Consultant with Red Hat, it will be published soon.
This article aims to demonstrate use cases for Openshift routes to achieve end-to-end encryption. This is a desirable and sometimes mandated configuration for many verticals, which deal with strict regulations.
For example, financial sectors often are extremely careful about their application security standards and always follow a very high level of compliance.
Many critical applications in a financial organization adhere to two-way SSL. This is a scheme where both the server and client need to establish their identity in order to exchange encrypted data via a secure connection.
Pic (1) Two-Way SSL in Openshift Container Platform
OCP out of the box provides containerized stateless HAProxy as a default router for the whole container ecosystem and one of the key capabilities that come with OCP is this configurable routing layer.
There are three configurable ways to do TLS termination with secure routes in OCP; namely edge, re-encryption, and passthrough. For this POC we leverage “passthrough” route and handle TLS termination at the pod level.
To achieve this:
- Create a Root CA and generate a server certificate, private key, client certificate, and client key.
- In the real world, the certificate issuance process will vary from one organization to another; for our POC we used OpenSSL to generate and sign certificates.
- Build a docker image from RHEL 7’s latest base operating system to install and configure Nginx and Apache for two-way SSL.
- Tag and push the docker image to the registry that Openshift is using.
Dockerfile for Nginx
|# Pull the rhel image from the local repository
MAINTAINER Ron Sengupta
# Fix per https://bugzilla.redhat.com/show_bug.cgi?id=1192200
RUN yum -y install deltarpm yum-utils –disablerepo=*-eus-* –disablerepo=*-htb-* \
–disablerepo=*-ha-* –disablerepo=*-rt-* –disablerepo=*-lb-* –disablerepo=*-rs-* –disablerepo=*-sap-*
RUN yum-config-manager –disable *-eus-* *-htb-* *-ha-* *-rt-* *-lb-* *-rs-* *-sap-* > /dev/null
COPY nginx.repo /etc/yum.repos.d/nginx.repo
RUN chmod 777 /etc/yum.repos.d/nginx.repo
RUN yum update -y; yum install nginx -y;yum clean all
RUN mkdir -p /etc/nginx/certs
RUN mkdir -p /var/www/html
COPY default.conf /etc/nginx/conf.d/default.conf
COPY clisec.rhel-cdk.10.1.2.2.xip.io.crt /etc/nginx/certs/server.crt
COPY clisec.rhel-cdk.10.1.2.2.xip.io.key /etc/nginx/certs/server.key
COPY ca.crt /etc/nginx/certs/ca.crt
RUN echo “The Nginx Web Server is Running” > /var/www/html/index.html
# Define default command.
CMD [“nginx”, “-g”, “daemon off;”]
This dockerfile has a very simple flow, it is pulling the base image and installing and configuring Nginx. As part of the container build it also copies the server SSL certificate, private key, CA public certificate and the Nginx SSL config file “default.conf “ to /etc/nginx/conf.d/ and finally passes the CMD to the container.
You can review the working copy of the code here.
Sample SSL configuration for Nginx
|# content of /etc/nginx/conf.d/default.conf
listen 443 default_server ssl;
index index.html index.htm index.php;
ssl_protocols SSLv3 TLSv1;
- Downloadable link for Nginx SSL configuration.
- Downloadable link for the Apache SSL configuration.
After the docker image is successfully pushed to registry check the image stream for that project.
- $ oc get is
You should see a new image stream object.
|NAME DOCKER REPO TAGS UPDATED
greentea-nginx 172.30.163.234:5000/rhelnginx/greentea-nginx latest About an hour ago
- Launch the new app from the image stream and check the status.
- $ oc new-app greentea-nginx
- $ oc status
- $ oc get pods
You can check the status from web console as well.
|Alternatively, you can create it using following deployment config and subsequently exposing the service. Here is the Github link for the relevant code – dc.yaml.|
Change the IP address, Port, and Image name as per your docker registry setup.
The TLS passthrough route config looks simple. Using the Github code link, route.yaml you’ll need to modify the hostname as per your environment.
You could use the OC CLI to create these objects,
$ oc create -f dc.yaml
$ oc create -f route.yaml
Now the container infrastructure is ready so you can test the two-way SSL.
- Nginx Web Server present SSL server certificate to client and demand client certificate for authorization but the client did not present it.
- Client presents the appropriate certificate and therefore secure communication takes place.
Click here to learn more about Red Hat Openshift Container Platform.