Ceph RGW SSL Made Simple

ceph-rgw-ssl

It’s been a while since Ceph Rados Gateway (RGW) has built-in support for SSL. In this blog post we will quickly cover how to setup SSL for RGW and adding another layer of security to object storage endpoint without much efforts.

The first ingredient we require to configure SSL endpoint is “SSL Certificate” itself which must be obtained through an official certification authority, or CA. Its CA’s responsibilities to confirm the certificate’s identity as well as assert for its authenticity. For demonstration purpose we will use self-sign certificate, however it’s recommended to acquire SSL certificate through aurhotuzed CA for production usage.

Note: If you already have SSL certificate for your domain you can skip the following steps and edit /etc/ceph/ceph.conf file to configure SSL. If you don’t have one and want to use self-sign certs, keep on reading.

On Ceph RGW node generate a self-sign certificate

1	`[[email protected] ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ceph-rgw-cert.key -out /etc/ssl/certs/ceph-rgw.crt`

Sample output

[[email protected] ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ceph-rgw-cert.key -out /etc/ssl/certs/ceph-rgw.crt
Generating a 2048 bit RSA private key
.................+++
..............+++
writing new private key to '/etc/ssl/private/ceph-rgw-cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:FI
State or Province Name (full name) []:Espoo
Locality Name (eg, city) [Default City]:Espoo
Organization Name (eg, company) [Default Company Ltd]: HomeLaB
Organizational Unit Name (eg, section) []:storage-testing
Common Name (eg, your name or your server's hostname) []:rgw1
Email Address []:
[[email protected] ~]#

Merge SSL certificate private key with certificate key.

1	`[[email protected] ~]# cat /etc/ssl/private/ceph-rgw-cert.key >> /etc/ssl/certs/ceph-rgw.crt`

Note: If you skip the above the above step then most likely you will get the following error

2017-09-14 09:27:25.452233 7f2209bac9c0  0 civetweb: 0x7f2209e15dc0: set_ssl_option: cannot open /etc/ssl/private/ceph-rgw-cert.key: error:0906D06C:PEM routines:PEM_read_bio:no start line

Finally add SSL certificate details to /etc/ceph/ceph.conf as shown below

rgw_frontends = civetweb port=192.168.10.50:443s num_threads=50 ssl_certificate=/etc/ssl/certs/ceph-rgw.crt

Note: If you have firewall in place, make sure you open port 443 (or whatever port you are using)

Restart Ceph RGW service and verify RGW port is Listening

[[email protected] ~]# systemctl restart [email protected]
[[email protected] ~]# netstat -plunt | grep -i radosgw
tcp        0      0 192.168.10.50:443        0.0.0.0:*               LISTEN      5831/radosgw
[[email protected] ~]#

Test it using curl by adding --insecure flag, since this is a self sign certifiocate we need to use --insecure.

1
2
3

[[email protected] ~]# curl https://192.168.10.50 --insecure
<?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>anonymous</ID><DisplayName></DisplayName></Owner><Buckets></Buckets></ListAllMyBucketsResult>[[email protected] ~]#
[[email protected] ~]#

Quick & Easy SSL …. Yeah

Karan Singh

Where there's a Cloud , there's a way !!

Ceph RGW SSL Made Simple

Comments