SSL Offloading feature allows loadbalancers to handle encryption/decryption of HTTP(s) traffic giving plaintext HTTP to the backend servers freeing them from the resource intensive task of handling encryption/decryption. Major loadblancers like the Netscaler and F5 have this functionality. This document is a functional sepc for adding certificate mangaement and implementing SSL offload capability for cloudstack provisioned loadbalancers.
Version | Author | Date | Changes |
---|---|---|---|
V1.0 | Syed Ahmed | 07-Oct-2013 | Initial Draft |
V1.1 | Syed Ahmed | 08-Oct-2013 | Changing name & updating uploadSSLCert to include certificate chain |
V1.2 | Will Stevens | 22-Sep-2014 | Added support for Projects as well as allowing an admin to assign certs to one of their users accounts |
AssignToLoadBalancerRule
if there is a certificate id in the request execute()
method of the command callsassignSslCertToLoadBalancer(lb_id, certId)
in LoadBalancingRulesManagerImpl
assignSslCertToLoadBalancer
checks if the loadbalancer is capable of SSL. If not error is returned.Add
applyLoadBalancerConfig
which calls applyLoadBalancerRules
with the lbIdgetLoadBalancerRuleToApply
function should also add getSslCertificates(lbId)
which gets called from applyLoadBalancerConfig
rule
has SSL certificate info as well.applyLBRules
of the NetscalerElement
, the SSL info is passed inside the rule.SslOffload
Capability if the rule has certificate info.NetscalerElement
creates a LoadBalancerTO
which transfers the params to the resource layer.LoadBalancerTO
should contain SslCertTO
for holding certificate information.Capability
as SslOffload
in Network.java
static class Capability
NetscalerElement
when checking for canHandleLbRules
will check for SSL rule and respond accordinglyLoadBalancingRule
will have a new static class LbSslCert and will have a list List<LbSslCert>
for holding the certificate(s)LoadBalancerTO
will have a new parameter for passing certificate information and an array SslCertsTO[]
for holding the certificates.The loadbalancign rule will have a new subclass for SSL certs
// rule for SSL certificates public class LoadBalancingRule { .... public static class LbSslCert() { String cert; String key; String password; boolean _revoke; public LbSslCert(cert,key,password) {} } public void setSslCerts(List<SslCert> certs){} public void getSslCerts(List<SslCert> certs){} ... }
The transfer object should also be able to pass SSL certs
// TO for SSL certificates public class LoadBalancerTO { .... public SslCertsTO[] sslCerts; public static class SslCertTO() { String cert; String key; String password; boolean _revoke; public LbSslCert(cert,key,password) {} } ... }
ssl_certs(id, uuid, account_id, cert, key, password)
Field name | Type | Allow nulls | Key | Default value |
---|---|---|---|---|
id | bigint(20) unsigned | No | Primary | Null |
uuid | varchar(40) | Yes | Unique | Null |
account_id | bigint(20) | No | Mul | Null |
certificate | text | No | None | Null |
chain | text | Yes | None | Null |
key | text | No | None | Null |
password | varchar(255) | Yes | None | Null |
domain_id | bigint(20) unsigned | No | Mul | Null |
load_balancer_cert_map(id, load_balancer_id, certitficate_id, revoke, state)
Field name | Type | Allow nulls | Key | Default value |
---|---|---|---|---|
id | bigint(20) unsigned | No | Primary | Null |
uuid | varchar(40) | Yes | None | Null |
load_balancer_id | bigint(20) | No | Mul | Null |
certificate_id | bigint(20) | No | Mul | Null |
revoke | tinyint(1) | No | None | 0 |
This section lists the new webservice APIs for Certificate management. They are derived from their AWS Equivalant ( UploadServerCertificate, ListServerCertificates, GetServerCertificate, DeleteServerCertificate )
Uploads a new SSL certificate-key pair
Request parameters:
Response parameters:
http://10.x.x.x:8080/client/api?command=uploadSslCert&certificate=-----BEGIN+CERTIFICATE-----<certificate>-----END+CERTIFICATE-----&privatekey=-----BEGIN+RSA+PRIVATE+KEY----<privatekey>-----END+RSA+PRIVATE+KEY-----
Note : The certificate,key and chain should be UTF-encoded in the URL.
Deletes an existing SSL cert from cloudstack.
Request parameters:
Response parameters:
http://10.x.x.x:8080/client/api?command=deleteSslCert&id=7
The response is a list of following
http://10.x.x.x:8080/client/api?command=listSslCerts&accountid=2
For associating the certificates to loadbalancing rules, we need to have the following APIs
Request parametes:
http://10.x.x.x:8080/client/api?command=assignCertToLoadBalancer&certid=138ad12e-a486-44e3-bb02-7a55d0813174&lbruleid=47
Request parameter to be added:
http://10.x.x.x:8080/client/api?command=removeCertFromLoadBalancer&lbruleid=47
The certificates can be accessed as a tab on the Accounts page.
Note: I cannot get the certificate to display as a block.
The actual certificate looks like this
-----BEGIN CERTIFICATE----- MIIDBjCCAe4CCQCEkqahWR0hjjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHRkMB4XDTEzMTAyMTEzNTIyMFoXDTE0MTAyMTEzNTIyMFowRTELMAkG A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN6wEhbwZgBfgh5+fE1OYm9B7jA+IMbraIY80IyV2ERbNXJoi2/XrDtAr5NAxWkL qpaccOA4XupMUWzUCpDxa9M7L/QfCP6PFEJnJZ2dCPvosZQKuFcj+h9LHsK5nVW6 1Zkh9HhtbdIS6l1JsV/119ZJGxzoGUEJPdEnsNt1cE1cW8sKvMo5GC2toZQV4d96 17IpMuyRYhdEyRNq+sDQetAUDHYthBK7QVDy/9Sw+/lbgf2OsWacIrysDCF3hXc0 qyNoBgp/s39NZDXx49GKwNmx9IuRV+P/WEqXfDxSDmHP4APtzDTtMTFnIW8+gH4z 0GkeLRi7EQY48LyyGcB88lkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAlgx04bvU /EE5z7lJsYmUM2oi8FjqZcZkD4F1ku7zvdAXaDNhOHjrR5LxGL+iI/N9S8lKVeSV xZv+EXAT0NqkTidNFjvP7coctDrrM+JHSNTRlr2GnnYjCnjEph4+ZXNppx8vnhXe 7jDnHoXL/C5GIPOm0+LQaH1AlGTPF0lnBrtQaz1UG34vCr8SSUtRbTDDxH/liXfc hfvVnf4OV5Duj0oUXsmB3YzITYZnZ/xvZ4Dw6rOU/U5Vetng+msOOt8momeTCnWB /d1clA7rulJTCNZXb0YyaUNaC6eQX7S9JHnluB67b9yp4yg8f00qz4xR165eTQmq mLiuE/U5fTODvA== -----END CERTIFICATE-----
No external dependecies are being added for this feature. All code will be developed within Cloudstack’s scope.