How to setup SSL connection for OpenStack cloud object storage (Swift)?

CloudBacko backup software allows you to backup data to OpenStack cloud object storage (swift). The article aims to show you how to enable the SSL in OpenStack for your backup users.

If you are new to OpenStack, you should check with their documentation on general setup available at http://docs.openstack.org/

If you already have a running OpenStack, you can follow our steps to enable SSL.

Assumptions:

Here are the OpenStack version used in the following examples:

  • OpenStack Havana Series, Release 2013.2.3
  • Swift version: 2.0.2
  • Keystone version: 0.7.1

Here are the values used in the following examples:

  • OpenStack admin user name: admin
  • OpenStack admin user password: admin
  • Tenant (project) name: mybackup
  • Keystone server IP: 10.7.54.7
  • Keystone user authentication URL: https://10.7.54.7:5000/v2.0
  • Keystone admin URL: https://10.7.54.7:35357/v2.0
  • Keystone admin token: 7b05dab9722d44e7b9a82dc0d1ff74ea

Note: The value of the Keystone admin token can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Requirements and preparations:

Please setup the following variables in bash profile and filters in the proxy-server.conf before you setup a tenant (project), user, roles and storage quota etc.

Step 1: Add the environment variable in the .bash_profile

Example (/root/.bash_profile)

----------------------------------------------------------------------------------------------------
    :
    :
  Trimmed
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=https://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=https://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  Trimmed
    :
    :
----------------------------------------------------------------------------------------------------

Please login again for profile to take effect.

Note: The value of the OS_SERVICE_TOKEN can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Step 2: Setup SSL connection for keystone and swift

To setup the SSL certificates, edit the file /etc/keystone/keystone.conf

Assume you have valid certificate files in

/etc/keystone/ssl_cert.pem

/etc/keystone/ssl_key.pem

/etc/keystone/cacert.pem

which

ssl_cert.pem is the public key file,

ssl_key.pem is the private key file, and

cacert.pem is the CA root certificate file.

Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.

Example (/etc/swift/proxy-server.conf)

----------------------------------------------------------------------------------------------------
    :
    :
    :
  Trimmed
    :
    :
    :

[ssl]
enable = True
certfile = /etc/keystone/ssl_cert.pem
keyfile = /etc/keystone/ssl_key.pem
ca_certs = /etc/keystone/cacert.pem

    :
    :
    :
  Trimmed
    :
    :
    :
----------------------------------------------------------------------------------------------------

Step 3: Restart keystone service

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# service openstack-keystone restart
Stopping keystone:                                         [  OK  ]
Starting keystone:                                         [  OK  ]
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 4: List existing service and mark down the id for the swift

It is required to use the ‘–insecure’ switch if an untrusted SSL cert is used.

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+--------------+--------------------------------+
|                id                |    name    |     type     |          description           |
+----------------------------------+------------+--------------+--------------------------------+
| 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer |   metering   |   Openstack Metering Service   |
| 3134116675a8420a88ef01cdcb0c8728 |   cinder   |    volume    |         Cinder Service         |
| b703b91737954d01a2d180f6c3d575ba | cinder_v2  |   volumev2   |       Cinder Service v2        |
| cc787cf0258e46d6a342e1502e7bf6be |   glance   |    image     |    Openstack Image Service     |
| b3af7d0a95d34aa7883629df7a7f7f56 |  keystone  |   identity   |   OpenStack Identity Service   |
| 10f1a022ada246138aba5834e3622a91 |  neutron   |   network    |   Neutron Networking Service   |
| 218b5356d65e4d8382297f72d65c8bbb |    nova    |   compute    |   Openstack Compute Service    |
| a809ad43f380400cb55ff2520bb27ab0 |  nova_ec2  |     ec2      |          EC2 Service           |
| 8b517bd82d4345c895384f9596a29880 |   swift    | object-store | Openstack Object-Store Service |
| 11882e74696547b0ba1e4d276074ae37 |  swift_s3  |      s3      |      Openstack S3 Service      |
+----------------------------------+------------+--------------+--------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------

The swift id is shown in bold.

Step 5: List existing swift service endpoints

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------+---                     ---+----------------------------------+
|                id                |  region   |    ......Trimmed......    |            service_id            |
+----------------------------------+-----------+---                     ---+----------------------------------+
| 00a39b6e21a24562b470b61a1b82902d | RegionOne |  h                     )s | 218b5356d65e4d8382297f72d65c8bbb |
| 047f9c3dd19743e280a553d8a34a9202 | RegionOne |    ......Trimmed......    | 10f1a022ada246138aba5834e3622a91 |
| 2b89407a81574b2c8f0fdef9eefc507a | RegionOne |                           | 5f805cc7df2a43eb90db6fe11ed682f6 |
| 47b6d5974d744c21a04b6ca2781f57a0 | RegionOne |                        )s | b703b91737954d01a2d180f6c3d575ba |
| 485ba5a748fc4f1e865d08774fae8ff7 | RegionOne |                           | b3af7d0a95d34aa7883629df7a7f7f56 |
| 90bb1d878b7045f086e2ada7ce853308 | RegionOne | ht ......Trimmed...... )s | 3134116675a8420a88ef01cdcb0c8728 |
| 9ac0472cb48f49b3b44cb4e3365be01a | RegionOne |                           | 11882e74696547b0ba1e4d276074ae37 |
| a1af6685d3e04e5fa7b71f6c244f1393 | RegionOne | ht                        | 8b517bd82d4345c895384f9596a29880 |
| a9b9c9fbef6a44669788c1946a3c8e48 | RegionOne |                           | cc787cf0258e46d6a342e1502e7bf6be |
| c370061d0cc64386a470a5a0fb01e424 | RegionOne |    ......Trimmed...... n  | a809ad43f380400cb55ff2520bb27ab0 |
+----------------------------------+-----------+---                     ---+----------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Lookup the endpoint for the swift service with the service_id=8b517bd82d4345c895384f9596a29880

Step 6: Delete the insecure swift service endpoint

Delete the service endpoint with the id a1af6685d3e04e5fa7b71f6c244f1393 which can be found in the same row in the swift service.

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-delete a1af6685d3e04e5fa7b71f6c244f1393
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Endpoint has been deleted. 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 7: Recreate the endpoint with https:// instead

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-create --region RegionOne --service-id=8b517bd82d4345c895384f9596a29880 
--publicurl 'https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://10.7.54.7:8080/v1' --internalurl '

https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s'

WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------------------+
|  Property   |                   Value                      |
+-------------+----------------------------------------------+
|  adminurl   |           https://10.7.54.7:8080/v1          |
|     id      |        fb937c038fd34724bd7415fff3ee7736      |
| internalurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|  publicurl  | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|   region    |                 RegionOne                    |
| service_id  |       8b517bd82d4345c895384f9596a29880       |
+-------------+----------------------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 8: Setup the /etc/swift/proxy-server.conf for swift

Edit the file proxy-server.conf , add the contents that are highlighted in red in the below example.

Assume you have valid certificate files in

/etc/swift/ssl_cert.pem

/etc/swift/ssl_key.pem

which

ssl_cert.pem is the public key file, and

ssl_key.pem is the private key file.

Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.

Example (/etc/swift/proxy-server.conf)

----------------------------------------------------------------------------------------------------
# This file is managed by puppet.  Do not edit
#
[DEFAULT]
bind_port = 8080
bind_ip = 10.7.54.7
    :
    :
    :
  Trimmed
    :
    :
    :
cert_file = /etc/swift/ssl_cert.pem
key_file = /etc/swift/ssl_key.pem
    :
    :
    :
  Trimmed
    :
    :
    :

[filter:authtoken]
    :
    :
    :
  Trimmed
    :
    :
    :
auth_protocol = https
auth_uri = https://10.7.54.7:5000
insecure = true
----------------------------------------------------------------------------------------------------

Step 9: Restart the swift related services

Restart the swift related service after you have modified the config file /etc/swift/proxy-server.conf .

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# swift-init main restart
Signal proxy-server  pid: 17166  signal: 15
Signal container-server  pid: 17167  signal: 15
Signal account-server  pid: 17168  signal: 15
Signal object-server  pid: 17169  signal: 15
object-server (17169) appears to have stopped
container-server (17167) appears to have stopped
account-server (17168) appears to have stopped
proxy-server (17166) appears to have stopped
Starting proxy-server...(/etc/swift/proxy-server.conf)
Starting container-server...(/etc/swift/container-server.conf)
Starting account-server...(/etc/swift/account-server.conf)
Starting object-server...(/etc/swift/object-server.conf)
WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment.

[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 10: Test with the swift command

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# swift --insecure stat

       Account: AUTH_49f2482ecff9431bae1d32fa2a004026
    Containers: 8
       Objects: 480
         Bytes: 189030388 
Meta Quota-Bytes: 10737418240
   X-Timestamp: 1412574345.10669
  Content-Type: text/plain; charset=utf-8
 Accept-Ranges: bytes
[root@os ~]#
----------------------------------------------------------------------------------------------------

How to setup region in OpenStack object storage (Swift)?

ico_destination_openstack_72 CloudBacko backup software allows you to backup data to OpenStack cloud object storage (swift).

This article aims to show you how to setup a region in the OpenStack for your backup users. If you are new to OpenStack, you should check with their documentation on general setup available at http://docs.openstack.org/

If you already have a running OpenStack, you can follow our steps to setup the different region for users.

Assumptions:

Here are the OpenStack version used in the following examples:

  • OpenStack Havana Series, Release 2013.2.3
  • Swift version: 2.0.2
  • Keystone version: 0.7.1

Here are the values used in the following examples:

  • OpenStack admin user name: admin
  • OpenStack admin user password: admin
  • Tenant (project) name: mybackup
  • Keystone server IP: 10.7.54.7
  • Keystone user authentication URL: http://10.7.54.7:5000/v2.0
  • Keystone admin URL: http://10.7.54.7:35357/v2.0
  • Keystone admin token: 7b05dab9722d44e7b9a82dc0d1ff74ea
  • Keystone server IP (Region 2): 10.7.54.8

Note: The value of the Keystone admin token can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Requirements and preparations:

Please setup the following variables in bash profile before you setup a tenant (project), user, roles and storage quota etc.

Step 1: Add the environment variable in the .bash_profile

Example (/root/.bash_profile)

----------------------------------------------------------------------------------------------------
    :
    :
  Trimmed
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=http://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=http://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  Trimmed
    :
    :
----------------------------------------------------------------------------------------------------

Please login again for profile to take effect.

Note: The value of the OS_SERVICE_TOKEN can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Step 2: Create a new region for OpenStack.

If you have a second OpenStack storage which you want to mount on your current OpenStack, you can setup a second region on your current OpenStack.

Assume the IP of the second region OpenStack is 10.7.54.8 . You need to find out the swift service id and map the second region on your current OpenStack according to the below instruction.

To list swift service id by keystone service list command:

Usage: keystone service-list

Example:

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+--------------+--------------------------------+
|              id                  |    name    |     type     |           description          |
+----------------------------------+------------+--------------+--------------------------------+
| 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer |   metering   |   Openstack Metering Service   |
| 3134116675a8420a88ef01cdcb0c8728 |   cinder   |    volume    |         Cinder Service         |
| b703b91737954d01a2d180f6c3d575ba |  cinder_v2 |   volumev2   |        Cinder Service v2       |
| cc787cf0258e46d6a342e1502e7bf6be |   glance   |    image     |      Openstack Image Service   |
| b3af7d0a95d34aa7883629df7a7f7f56 |  keystone  |   identity   |    OpenStack Identity Service  |
| 10f1a022ada246138aba5834e3622a91 |  neutron   |   network    |    Neutron Networking Service  |
| 218b5356d65e4d8382297f72d65c8bbb |    nova    |   compute    |    Openstack Compute Service   |
| a809ad43f380400cb55ff2520bb27ab0 |  nova_ec2  |     ec2      |          EC2 Service           | 
| 8b517bd82d4345c895384f9596a29880 |    swift   | object-store | Openstack Object-Store Service |
| 11882e74696547b0ba1e4d276074ae37 |  swift_s3  |     s3       |       Openstack S3 Service     |
+----------------------------------+------------+--------------+--------------------------------+
[root@os ~]# 
----------------------------------------------------------------------------------------------------

To add the second region (RegionTwo) to the ‘swift’ keystone service

Usage: keystone endpoint-create –region <endpint-region> –service-id=<swift service-id> –publicurl <public-url> –adminurl <admin URL> –internalurl <internal-url>

Example:

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone endpoint-create --region RegionTwo --service-id=8b517bd82d4345c895384f9596a29880 --publicurl
 'http://10.7.54.8:8080/v1/AUTH_%(tenant_id)s' --adminurl 'http://10.7.54.8:8080/v1' --internalurl 'http://10.7.54
.8:8080/v1/AUTH_%(tenant_id)s'
+-------------+---------------------------------------------+
|   Property  |                    Value                    |
+-------------+---------------------------------------------+
|   adminurl  |          http://10.7.54.8:8080/v1           |
|      id     |       40c018c7ff934bc4b3d8c0ce8c78d8db      |
| internalurl | http://10.7.54.8:8080/v1/AUTH_%(tenant_id)s |
|  publicurl  | http://10.7.54.8:8080/v1/AUTH_%(tenant_id)s |
|    region   |                   RegionTwo                 |
|  service_id |       8b517bd82d4345c895384f9596a29880      |
+-------------+---------------------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------

 

How to configure Encryption in CloudBacko backup software

How to configure encryption in CloudBacko backup software

When backing up data to a non-local destination, e.g. public cloud, CloudBacko lets you encrypt your backup data before sending to the destination so that no hacker will know what you have backed up, even if they can get break into your cloud storage and take your data.

If encryption is enabled, before files are uploaded to the backup destination, they are first compressed and encrypted with an algorithm, mode and key of your choice.

Encryption settings are defined when a backup set is created. Even if the login password is changed after the encryption is done, the encryption key remains unchanged and cannot be modified. The only alternative is to create a new backup set using the new encryption key and back up your data from scratch.

Once you have enabled the encryption recovery option in Profile > Encryption Recovery. The encryption key file will be uploaded to the Backup Server. In case you forgot the encryption key, you can still contact us to recover it. The recovered encryption key will be sent to you by email directly. Make sure you have filled in your contact details under the Profile > Contacts section so that the encryption key can be sent to you.

Important:

For CloudBacko Pro and Lite users, it is very important to export current configuration settings using our tools in Utilities > Export/Import Settings, the file settings.sys will be exported. Please keep the settings.sys in a safe places.

If your current backup computer is crashed and the settings.sys file is lost, you will not be able to restore the current settings including the encryption key, and the data that you backup is irretrievable.

For CloudBacko Free users, your hashed encryption key will be kept on our server. You don’t have to worry on exporting your configuration.

Key:

Field Description
Encryption Type
There are 2 encryption types, namely Default and Custom
There are 3 encryption types, namely Default, User password and Custom
    • Select “Default”, CloudBacko will base on the followings to assign the encryption key and encryption settings.
      • - Encryption Key: A randomly generated key of 44 alpha numeric characters
      • - Encryption Key length: 256 bits
      • - Encryption Algorithm: AES
      • - Encryption Method: CBC
  • Select “Custom”, you can custom the encryption key, backup algorithm, method and key length.
Algorithm There are 3 backup algorithms:

  • Twofish: Twofish algorithm
  • DESede: Triple DES algorithm
  • AES: Advanced Encryption Standard algorithm
Method There are 2 backup methods:

  • ECB: Electronic Cook Book mode
  • CBC: Cipher Block Chaining mode
Key length There are 2 key length options

  • 128-bit
  • 256-bit
Encryption key If Custom Encryption Type is used, consider the following to create a strong encryption key:

  • Length: Make sure the encryption key is at least eight or more characters.
  • Complexity: Include lowercase, uppercase letters and numbers.

Avoid creating encryption key that uses:

  • Dictionary words.
  • Words spelled backwards, common misspellings and abbreviations.
  • Sequence or repeated characters.
  • Personal information, your name, your birthday, or similar information. Include lowercase, uppercase letters and numbers.
Re-type encryption key Enter the same encryption key again to ensure the encryption was typed correctly.

To setup encryption for a backup set:

  1. Slide the switch to right hand side to turn on the encryption.
  2. Enter “Default” or “Custom” from the Encryption type drop down box.
  3. If you choose “Default”, click [Next] button to continue.
  4. If you choose “Custom”:
    • Select the algorithm of the encryption.
    • Enter the encryption key.
    • Re-enter the encryption key to confirm.
    • Select the method of the encryption.
    • Select the key length of the encryption.
  5. Click [Next] button to continue. You will then see a pop-up window where you can copy the encryption key to another location of your choice.

How to configure Command Line Tool in CloudBacko Pro backup software

Command Line Tool in CloudBacko Pro backup software

In CloudBacko Pro backup software for backing up servers, you can run commands before and/or after a backup job, e.g. to execute batch file to stop and start an application before and after a backup job, or other command to shutdown the computer when a backup job is complete.

Key:

Field Description
Name Input box to enter name of a pre or post backup command.
Working Directory Directory which the pre or post backup command will run at.
Command Input box to enter pre or post backup command to be run.Native command or command to execute a batch, command or VBScript file can be configured:

  •   shutdown -s -t 60
  •   batch.bat
  •   command.cmd
  •   script.vbs

CloudBacko Pro Command Line Tool

To define a pre-backup command line tools:

  1. Click on the [+] to add a new pre-backup command line tool.
  2. Enter a meaningful name for the pre-command.
  3. Click on [Browse] to select the working directory.
  4. Enter the command.
  5. Click [OK] to save the setting.

To define a post-backup command line tools:

  1. Click on the [+] to add a new post-backup command line tool.
  2. Enter a meaningful name for the post-command.
  3. Click on [Browse] to select the working directory.
  4. Enter the command.
  5. Click [OK] to save the setting.

How to configure bandwidth control in CloudBacko backup software

You can use the bandwidth control to limit the amount of bandwidth used by backup traffic between specified times.
CloudBacko Bandwidth Control

Note

  • The actual value will be around +/- 5% of the limit when the bandwidth control set to below 32Mb/s. When the bandwidth control set to above 64Mb/s, the gap between actual value and limit value might be over 5%.
  • Network stability may affect bandwidth control effectiveness.

There are a few configurable parameters available and they are described in the following table. Bandwidth control is an optional setting.

Key:

Field Description
Mode There are 2 modes, “Independent” and “Share”.

  • For independent mode, each backup and restore has its assigned bandwidth.
  • For share mode, all the backup and restore are sharing the same assigned bandwidth.

Note: Share mode does not support performing backup job on multiple destinations concurrently.

Name Name of the bandwidth control set.
Type There are 2 types of bandwidth control, ‘Always’ and ‘Only within this period’.
From Start time of enforced bandwidth control period.
To End time of enforced bandwidth control period.
Maximum transfer rate Maximum bandwidth used between the [From] and [To] period.

To set up the bandwidth control:

  1. Slide the switch to right hand side to turn on the bandwidth control.
  2. Select the mode of bandwidth control, ‘Independent’ or ‘Share’.
  3. Click on the [Add] button to add a bandwidth control or click on the bandwidth control set to modify the setting.
  4. Provide a meaningful name for this bandwidth control if necessary.
  5. Select the type of bandwidth control, ‘Always’ or ‘Only within this period’.
  6. If ‘Only within this period’ is selected, select the ‘From’ and ‘To’ period of time.
  7. Select the ‘Maximum transfer rate’ from the drop down box.
  8. Click [Save] to save the setting.

CloudBacko Bandwidth Control - Add New

To remove a bandwidth control:

  1. Select the bandwidth control set.
  2. On the bottom left, click the “Delete this bandwidth control”.

Remove bandwidth control in CloudBacko