From be4bc8f3f243b3282010848cc00f31d31c9f9ab8 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 3 May 2017 12:56:17 +0300 Subject: Internal TLS: Use specific CA file for mysql-client Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f --- puppet/services/database/mysql-client.yaml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet') diff --git a/puppet/services/database/mysql-client.yaml b/puppet/services/database/mysql-client.yaml index 78456e28..b6bd060e 100644 --- a/puppet/services/database/mysql-client.yaml +++ b/puppet/services/database/mysql-client.yaml @@ -21,6 +21,11 @@ parameters: EnableInternalTLS: type: boolean default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. outputs: role_data: @@ -30,5 +35,6 @@ outputs: config_settings: tripleo::profile::base::database::mysql::client::mysql_client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]} tripleo::profile::base::database::mysql::client::enable_ssl: {get_param: EnableInternalTLS} + tripleo::profile::base::database::mysql::client::ssl_ca: {get_param: InternalTLSCAFile} step_config: | include ::tripleo::profile::base::database::mysql::client -- cgit 1.2.3-korg