HPE Helion OpenStack 8

Security Guide

Publication Date: 05/02/2024
1 HPE Helion OpenStack®: Security Features Overview
1.1 Security features in HPE Helion OpenStack 8
1.2 Role-Based Access Control (RBAC) Support for Neutron Networks
1.3 Separate Service Administrator Role
1.4 Inter-service Password Enhancements
1.5 SELinux for KVM
1.6 Data In Transit Protection
1.7 Data-at-Rest Protection Using Project-Based Encryption
1.8 CADF-Compliant Security Audit Logs
1.9 PCI Readiness
1.10 Glance-API Rate Limit to Address CVE-2016-8611
2 Key Management with the Barbican Service
2.1 Barbican Service Overview
2.2 Key Features
2.3 Installation
2.4 Auditing Barbican Events
2.5 Barbican Key Management Service Bootstrap Data
2.6 Known issues and workarounds
3 Key Management Service Administration
3.1 Post-installation verification and administration
3.2 Updating the Barbican Key Management Service
3.3 Barbican Settings
3.4 Enable or Disable Auditing of Barbican Events
3.5 Updating the Barbican API Service Configuration File
3.6 Starting and Stopping the Barbican Service
3.7 Changing or Resetting a Password
3.8 Checking Barbican Status
3.9 Updating Logging Configuration
4 HPE Helion OpenStack®: Service Admin Role Segregation in the Identity Service
4.1 Overview
4.2 Pre-Installed Service Admin Role Components
4.3 Features and Benefits
4.4 Roles
5 Role-Based Access Control in Neutron
5.1 Creating a Network
5.2 Creating an RBAC Policy
5.3 Listing RBACs
5.4 Listing the Attributes of an RBAC
5.5 Deleting an RBAC Policy
5.6 Sharing a Network with All Tenants
5.7 Target Project (demo2) View of Networks and Subnets
5.8 Target Project: Creating a Port Using demo-net
5.9 Target Project Booting a VM Using Demo-Net
5.10 Limitations
6 Configuring Keystone and Horizon to use X.509 Client Certificates
6.1 Keystone configuration
6.2 HAProxy Configuration
6.3 Create CA and client certificates
6.4 Horizon configuration
6.5 Browser configuration
6.6 User accounts
6.7 How it works
7 Transport Layer Security (TLS) Overview
7.1 Comparing Clean Installation and Upgrade of HPE Helion OpenStack
7.2 TLS Configuration
7.3 Enabling TLS for MySQL Traffic
7.4 Enabling TLS for RabbitMQ Traffic
7.5 Troubleshooting TLS
8 HPE Helion OpenStack®: Preventing Host Header Poisoning
9 Encryption of Passwords and Sensitive Data
9.1 SSH Introduction
9.2 Protecting sensitive data on the Cloud Lifecycle Manager
9.3 Interacting with Encrypted Files
10 Encryption of Ephemeral Volumes
10.1 Enabling ephemeral volume encryption
11 Refining Access Control with AppArmor
11.1 AppArmor in HPE Helion OpenStack 8
12 Data at Rest Encryption
12.1 Configuring KMIP and ESKM
12.2 Configuring Cinder volumes for encryption
12.3 For More Information
13 Glance-API Rate Limit (CVE-2016-8611)
14 Security Audit Logs
14.1 The need for auditing
14.2 Audit middleware
14.3 Centralized auditing configuration

Copyright © 2006– 2024 SUSE LLC and contributors. All rights reserved.

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License :

For SUSE trademarks, see http://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Print this page