Page History

...

In current CloudStack, the agent-management server communication is weakly secured by one way SSL authentication while encrypted (on port 8250/default) and allows for any client/agent to connect and be served by the management server. There are other services that need TLS/SSL security and upcoming features such as container/application service etc. require certificate management. The common issue is CloudStack has no certificate management to provide security for its internal component especially the agent-mgmt server and mgmt-mgmt server communication. The aim of this feature is to provide pluggable CA (certificate authority) management in CloudStack that can fetch/provision certificates to (new) host(s) and systemvms. As a default CA plugin, a root CA plugin will be implement where CloudStack becomes a self-signed Root Certificate Authority. Developers will have option to implement further integration with their TLS/SSL cert providers such as letsencrypt and other vendors.

NOTE: API names, global settings names and some details of the FS may be changed until the final PR is submitted.

Feature Specification

• A pluggable CA service framework will be implemented that provides pluggable means to
initialize SSLContexts in the management server. The plugins can implement their own trust
management to validate and verify incoming client request and security.
• A CA plugin can have its own specific settings, API etc.
• The pluggable CA service framework will enable a custom CA plugin to implement its own
background task service to monitor active agents/client list with expiring certificates, failing
authentication, send out alerts etc.
• Certificate lifecycle operations such as to create, renew, revoke, provision/propagate certificates
will be provided by the framework, however the mechanisms will be implemented by a CA
plugin.
• Two new CA plugins will be created:

...