cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From seb...@apache.org
Subject git commit: CLOUDSTACK-6204: updating docs to reflect...Closes #7
Date Tue, 25 Mar 2014 07:47:39 GMT
Repository: cloudstack-docs-admin
Updated Branches:
  refs/heads/master 3c2bc1d63 -> dc3e342a8


CLOUDSTACK-6204: updating docs to reflect...Closes #7

...RHIP going away

Signed-off-by: Sebastien Goasguen <runseb@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/commit/dc3e342a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/tree/dc3e342a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/diff/dc3e342a

Branch: refs/heads/master
Commit: dc3e342a82a3555eb9e2ec1ffd5bb4b1f19b5d49
Parents: 3c2bc1d
Author: John Kinsella <jlkinsel@gmail.com>
Authored: Mon Mar 24 20:44:56 2014 -0700
Committer: Sebastien Goasguen <runseb@gmail.com>
Committed: Tue Mar 25 08:47:08 2014 +0100

----------------------------------------------------------------------
 source/systemvm.rst | 74 +++++++++++++++++++++++++++++-------------------
 1 file changed, 45 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/dc3e342a/source/systemvm.rst
----------------------------------------------------------------------
diff --git a/source/systemvm.rst b/source/systemvm.rst
index c185945..f87f9c5 100644
--- a/source/systemvm.rst
+++ b/source/systemvm.rst
@@ -167,39 +167,45 @@ interrupt existing console sessions for users.
 Using a SSL Certificate for the Console Proxy
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The console viewing functionality uses a dynamic DNS service under the
-domain name ``realhostip.com`` to assist in providing SSL security to
-console sessions. The console proxy is assigned a public IP address. In
-order to avoid browser warnings for mismatched SSL certificates, the URL
-for the new console window is set to the form of
-https://aaa-bbb-ccc-ddd.realhostip.com. You will see this URL during
-console session creation. CloudStack includes the realhostip.com SSL
-certificate in the console proxy VM. Of course, CloudStack cannot know
-about the DNS A records for our customers' public IPs prior to shipping
-the software. CloudStack therefore runs a dynamic DNS server that is
-authoritative for the realhostip.com domain. It maps the aaa-bbb-ccc-ddd
-part of the DNS name to the IP address aaa.bbb.ccc.ddd on lookups. This
-allows the browser to correctly connect to the console proxy's public
-IP, where it then expects and receives a SSL certificate for
-realhostip.com, and SSL is set up without browser warnings.
+**NOTE** In the past CloudStack used the ``realhostip.com`` dynamic 
+DNS resolution service. As this service will be shut down as of 
+June 30th, 2014, CloudStack has stopped using the service as of version
+4.3.
+
+By default, the console viewing functionality uses plaintext HTTP. In 
+any production environment, the console proxy connection should be
+encrypted via SSL at the mininum.
+
+A CloudStack administrator has 2 ways to secure the console proxy
+communication with SSL:
+
+-
+   Set up a SSL wild-card certificate and domain name resolution
+   
+-
+   Set up SSL certificate for specific FQDN and configure load-balancer
+
 
 Changing the Console Proxy SSL Certificate and Domain
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-If the administrator prefers, it is possible for the URL of the
-customer's console session to show a domain other than realhostip.com.
-The administrator can customize the displayed domain by selecting a
-different domain and uploading a new SSL certificate and private key.
-The domain must run a DNS service that is capable of resolving queries
-for addresses of the form aaa-bbb-ccc-ddd.your.domain to an IPv4 IP
-address in the form aaa.bbb.ccc.ddd, for example, 202.8.44.1. To change
-the console proxy domain, SSL certificate, and private key:
+The administrator can configure SSL encryption  by selecting a domain 
+and uploading a new SSL certificate and private key. The domain must 
+run a DNS service that is capable of resolving queries for addresses 
+of the form aaa-bbb-ccc-ddd.your.domain to an IPv4 IP address in the
+form aaa.bbb.ccc.ddd, for example, 202.8.44.1. To change the console 
+proxy domain, SSL certificate, and private key:
 
 #. 
 
    Set up dynamic name resolution or populate all possible DNS names in
    your public IP range into your existing DNS server with the format
-   aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.
+   aaa-bbb-ccc-ddd.consoleproxy.company.com -> aaa.bbb.ccc.ddd.
+
+   **NOTE** In these steps you will notice *consoleproxy.company.com* -
+   For security best practices, we recommend creating a wildcard SSL
+   certificate on a separate subdomain so in the event that the certificate
+   is compromised, a malicious user cannot impersonate a company.com domain.
 
 #. 
 
@@ -218,7 +224,8 @@ the console proxy domain, SSL certificate, and private key:
 
    #. 
 
-      Generate a new certificate CSR
+      Generate a new certificate CSR. Ensure the creation of a wildcard 
+      certificate, eg *.consoleproxy.company.com
 
       .. code:: bash
 
@@ -262,23 +269,32 @@ the console proxy domain, SSL certificate, and private key:
 
    -  
 
-      The desired new domain name; for example, company.com
+      The desired domain name, prefixed with ``*.``; for example, *.consoleproxy.company.com
 
      |update-ssl.png|
 
 #. 
 
-   The desired new domain name; for example, company.com
-
    This stops all currently running console proxy VMs, then restarts
    them with the new certificate and key. Users might notice a brief
    interruption in console availability.
 
 The Management Server generates URLs of the form
-"aaa-bbb-ccc-ddd.company.com" after this change is made. The new console
+"aaa-bbb-ccc-ddd.consoleproxy.company.com" after this change is made. The new console
 requests will be served with the new DNS domain name, certificate, and
 key.
 
+Load-balancing Console Proies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+An alternative to using dynamic DNS or creating a range of DNS entries 
+as described in the last section would be to create a SSL certificate
+for a specific domain name, configure CloudStack to use that particular
+FQDN, and then configure a load balancer to load balance the console
+proxy's IP address behind the FQDN. As the functionality for this is still
+new, please see https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes
+for more details.
+
+
 Virtual Router
 --------------
 


Mime
View raw message