Enabling SSL Connections

This procedure describes how to enable SSL connections in HPE Ezmeral Runtime Enterprise deployments for which SSL was not enabled during the initial deployment process.

Prerequisites

You are logged into the active Controller host as the user account that was used to install HPE Ezmeral Runtime Enterprise.

About this task

If you followed the instructions in Adding an SSL Certificate during the HPE Ezmeral Runtime Enterprise deployment process, you do not need to complete this task.

Use this procedure to enable SSL connections on an existing HPE Ezmeral Runtime Enterprise deployment.

Procedure

  1. Either generate or obtain an SSL certificate that includes the correct set of hostnames in the Common Name (CN) or Subject Alternative Name (SAN) field:
    Include the following hostnames:
    • HPE Ezmeral Runtime Enterprise Controller hostname.
    • Common HPE Ezmeral Runtime Enterprise Gateway hostname.
    • If the deployment has more than one Gateway host, include the additional HPE Ezmeral Runtime Enterprise Gateway hostnames.
    If Platform HA is enabled, also include the following hostnames:
    • The HPE Ezmeral Runtime Enterprise Shadow Controller hostname.
    • If your deployment uses a cluster IP address, then also include the hostname associated with that cluster IP address.
  2. Place both the host SSL certificate and the private key on the Controller host.

    If your deployment has a Shadow Controller, ensure that you create the the same directory paths on the Shadow controller that you create on the Controller. The files are copied from the Controller to the Shadow Controller, but the copy operation will fail if the path does not exist on the Shadow Controller.

    The certificate and key files must be readable by the webserver process, according to Linux file permissions and the SELinux configuration.

    • RHEL:

      A standard way to do this is to assign 644 permissions to the certificate and key files and place them in the /etc/pki/tls/certs directory.

      However, you can place the files in the directory of your choice.

    • SLES:

      The commands in this procedure assume you are using the following standard directories:

      /etc/pki/tls/certs
      /etc/pki/tls/private

      However, you can place the files in the directories of your choice.

      Create the following folders on the parent directory:
      mkdir -p /etc/pki/tls
      mkdir -p /etc/pki/tls/certs
      mkdir -p /etc/pki/tls/private
      Assign 755 permissions to the certificate and key files:
      chmod 755 /etc/pki/tls
      chmod 755 /etc/pki/tls/certs
      chmod 755 /etc/pki/tls/private
  3. Execute ssl.sh, specifying the file paths to the certificate and key files.
    /opt/bluedata/bundles/hpe-cp-*/startscript.sh -a ssl --ssl-cert=<filepath-to-cert> --ssl-priv-key=<filepath-to-key> --ssl-ca-data=<filepath-to-ca-data> 

    The --ssl-ca-data=<filepath-to-ca-data> argument is optional. The argument specifies the filepath to the certificate authority data.

    The script supports both HA and non-HA environments.

    Example:

    /opt/bluedata/bundles/hpe-cp-*/startscript.sh -a ssl --ssl-cert=/etc/pki/tls/certs/server.crt --ssl-priv-key=/etc/pki/tls/private/server.key
  4. Verify that the HPE Ezmeral Runtime Enterprise web interface accepts HTTPS connections and that unsecure HTTP connections are no longer accepted.
  5. If your HPE Ezmeral Runtime Enterprise deployment has one or more existing Kubernetes clusters, change the secret that used by the hpecp-agent operator to communicate with the control plane for creating services:

    On each Kubernetes Master node, execute the following commands:

    URL=$(kubectl -n hpecp get secrets/hpecp-session-secret -o jsonpath='{.data.k8s-cluster-services-url}' | base64 --decode)
    MOD_URL=$(echo -n $URL | sed 's/http/https/g' | base64 -w 0)
    kubectl -n hpecp patch secret hpecp-session-secret --type='json' -p="[{\"op\" : \"replace\" ,\"path\" : \"/data/k8s-cluster-services-url\" ,\"value\" : \"$MOD_URL\"}]"

    The preceding commands fetch the current secret, change http to https, and then update the secret with the modified option.

  6. In the Gateway Settings tab, enable SSL termination. You can use either the same SSL certificate file you created or obtained at the beginning of this procedure, or a separate SSL certificate file.