Communication

Scope

Communication from the external environment to Cloudify Manager and its SSL/TLS configuration is the user’s responsibility (CA/host verification, etc.), where the endpoints include the UI and REST API. Communication between Cloudify Agents and Cloudify Manager (and within Cloudify Manager) is the responsibility of Cloudify and is determined by Cloudify. Cloudify generates the necessary certificates for internal communication. Credentials do not appear in log files (cloud/ RabbitMQ/ Cloudify).

Communication Channels

• Internal services access the REST API/ file server over HTTPS on port 53333 through the manager’s private IP with a Cloudify-generated authentication token.
• External access to REST API/ file server (e.g. CLI, UI) is done by default over HTTP through the manager’s public IP but can be configured to use HTTPS with a customer-signed certificate. Authentication is done via a Cloudify-generated authentication token or with a username and password.
• Agents access the manager over two secure channels: AMQP (5671) and HTTPS (53333). By default, agents access the manager over its private IP, but it can be configured to use other additional IPs.

SSL for Internal Communication

All internal communications between internal services/ agents and the REST API/ RabbitMQ are done over SSL.

During the bootstrap, the manager creates (or accepts as input) an internal CA certificate and key. Cloudify then creates an SSL keypair with a matching certificate that contains the private IP and all the management network IPs as its CN value. The keypair is used by both RabbitMQ and REST API/ file server for internal access.

As part of the agent’s installation script, Cloudify’s internal CA certificate is propagated to the agent’s host in order to validate the manager’s certificate. There are no agent-host certificates.

Customizing SSL for Internal Communication

You can override the Internal Manager certificate and the CA certificate in the Cloudify Manager configuration. To provide a custom internal CA certificate for the agents to use, add the ca_certificate and optionally ca_key inputs must be set in the /etc/cloudify/config.yaml file during (installation or update of the Cloudify Manager. To provide a custom internal certificate, use the internal_certificate and internal_key inputs. If none are provided, Cloudify will generate the CA and the internal certificate automatically.

SSL Mode for External Communication

Cloudify Manager by default doesn’t use SSL for external communication. You can set the manager to use SSL for external communication during bootstrap or after bootstrap.

During bootstrap, you can edit the manager blueprint input. In the Security Settings section, set ssl_enabled parameter to true, in order to set the manager SSL mode.

You can set the rest_certificate and rest_key parameters, to use your own certificate. If missing, the manager will auto-generate the certificate.

After the initial installation, you can alter the entries in /etc/cloudify/config.yaml and run cfy_manager configure again to change the Cloudify Manager settings. You can also change the manager certificate by using the replace methods under cfy certificates.

When you install with the SSL mode, the certificate will be copied to the local CLI profile. When using a CA-signed certificate, provide the CA as the external_ca_cert_path input.

In order to update the certificate in the CLI profile, run the following command:

cfy profile set --rest-certificate CA_CERT_PATH

In case you renew the certificate, update it on the manager by using the replace methods under:

cfy certificates