Add HAproxy with SSL certificates (optional)

Blue Planet HAproxy is a high availability (HA) component that provides load balancing and recovery. Blue Planet HA manages multiple hardware instances (cluster) as a single site.

To deploy HAproxy:

  • You must have an odd number of nodes to form a cluster.

  • Each node in the cluster must have a logical IP address that can be assigned to any other node.

By default, HAProxy has a self-signed SSL certificate. Ciena recommends that you replace the default certificate with one signed by a trusted authority. The SSL configuration directory is volume-mounted from the host machine into the Docker container. The HAProxy container retrieves the keys after you place them in the proper host location.

Complete the following steps to update the HAProxy SSL certificates.

  1. Create a bp2/haproxy/ssl directory on the host. (If the directory already exists, you can skip this step.)

    $ /etc/bp2/haproxy/ssl

  2. Copy the trusted SSL keys found on Blue Planet to a temporary folder as shown in this example.

    $ cat <domain>.crt <domain>.key > server.pem

  3. Go to the SSL directory, /etc/bp2/haproxy/ssl, and delete the default SSL certificates.

  4. Move the server.pem file to the ssl directory.

    $ mv server.pem /etc/bp2/haproxy/ssl/.

  5. Set the file permissions for server.pem.

    $ chmod 600 /etc/bp2/haproxy/ssl/server.pem

  6. For a multi-host HA cluster, synchronize the HAProxy configuration across all hosts that are on multi-host sites. (If you are configuring a single-host site, you can skip this step.)

    $ bp2-site sync-site-config

  7. For a multi-host HA cluster, verify the synchronization. (If you are configuring a single-host site, you can skip this step.)

    $ bp2-site diff-site-config

  8. Start Solution Manager as a root user. Solution Manager is active when you see the (cmd) prompt.

    $ sudo -s
# solman
(cmd)

  9. Restart the HAProxy containers.

    Note

    The software versions listed in this procedure are examples. To view the version numbers of your software, enter the docker images command with the grep option from the Linux command prompt.

    The syntax is: docker images | grep solution-platform.

    		 
    (cmd) solution_app_restart bpdr.io.blueplanet.platform:16.09.02 haproxy

  10. (optional) Complete these steps if you want to customize the global SSL default bind and cipher values.

    1. Create a file named ssl_default_bind_options containing the values to use in the global HAProxy configuration section. This example disables SSL v3 and tls v1.0.

      echo 'no-sslv3 no-tlsv10' > /etc/bp2/haproxy/ssl_default_bind_options

    2. Create a file named ssl_default_bind_cipher containing the values to use in the global HAProxy configuration section. This example sets the following ciphers: ECDH+AESGCM:DH+AESGCM:ECDH+AES256.

      echo 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256' > /etc/bp2/haproxy/ ssl_default_bind_ciphers

    3. The directory /usr/share/haproxy/ssl_default_bind_<options|ciphers>.eg contains default values within the HAProxy container. You can use the .eg files as a starting point for config files in /etc/bp2/haproxy.

results matching ""

    No results matching ""