Manage IQ encryption

codebeaver22 · October 4, 2017, 1:09pm

Good morning.

I need to understand the protection for data in transit that occurs under the following 2 configurations:

Multi-region MIQ (i.e. between the Global region and the Remote region): I understand that the password if encrypted with the v2_key. Is it only the password that is encrypted? Is the data in transit encrypted as well? Which encryption protocol?
In my case it is the MIQ to OpenStack communication: I am assuming the “control & data” information is exchanged using https based REST API calls to protect the data in transit. Is this the case?

Thank you in advance for your answers.

jprause · October 11, 2017, 12:16pm

@abellotti or @jntullo see point #2. Would you be able to assist.

abellotti · October 12, 2017, 5:35am

Hi John,

I’m not sure Point #2 pertains to our REST API. might be a provider communication thing /cc @agrare

For our REST API, the communication itself is over https so yes encrypted. For region to region calls over our REST API using the ManageIQ API Client, those too are https encrypted.

Alberto

pemcg · October 12, 2017, 7:38am

When you add an OpenStack provider, you get the option of specifying the security protocol to be used; either SSL without validation, SSL, or Non-SSL. The choice obviously depends on whether OpenStack has been setup to accept secure API connections.

Database replication from a subordinate to master region uses pglogical (https://www.2ndquadrant.com/en/resources/pglogical/). From a cursory glance at the docs it doesn’t look like it encrypts the data stream (but others here may know more).

pemcg

codebeaver22 · October 17, 2017, 2:21pm

Thank you for your reply @abellotti. I would like to know more about the ManageIQ API Client. Can you direct me where I could get more info.

Regards

Mario

codebeaver22 · October 17, 2017, 3:31pm

That’s right I had forgotten about that initial selection when binding/registering OpenStack to ManageIQ. Great info as well for the pglogical component for database replication as well.

How about CMP to CMP communication when you have a federated implementation using MIQ. For example, logged in into the global MIQ (say region 99) and provisioning a VM in region 01 from region 88. I am assuming that it has nothing to do with database replication as you instantiate the request so I am also assuming that a set of REST API calls is performed from region 99 to region 01. Am I right?

Thank you @pemcg for sharing your knowledge.

Mario

codebeaver22 · October 17, 2017, 4:28pm

Oups, I asked the same question. So please @pemcg disregard my latest question as it was answered by @abellotti Thanks to both of you.

Mario