Skip to main content

Overview

Xloud platform services communicate over encrypted channels by default. TLS protects API endpoints, inter-service traffic, database connections, and message queue channels. This page covers certificate provisioning, TLS configuration at both the internal and external layers, HAProxy termination, and endpoint hardening for production deployments.
Prerequisites
  • XDeploy access with administrator privileges
  • SSL/TLS certificates (CA-signed, self-signed, or Let’s Encrypt)
  • Access to the XDeploy configuration interface or /etc/xavs/globals.d/ on the bootstrap node

TLS Architecture

Xloud separates TLS configuration into three independent scopes:
ScopeDescriptionApplies To
External TLSTraffic between clients and the platform API / DashboardPublic-facing endpoints, HAProxy VIP
Internal TLSService-to-service traffic within the clusterAPI ↔ database, API ↔ message queue, service ↔ service
Backend TLSHAProxy to upstream service connectionsHAProxy → Keystone, Nova API, Neutron, etc.
Enabling TLS requires all services to be restarted. Plan a maintenance window for initial TLS enablement on an existing cluster. New clusters should have TLS configured before the first deployment.

TLS Configuration

Open Global Configuration

Log in to XDeploy and navigate to Configuration → Global Settings.

Enable TLS Scopes

Locate the Security section and enable each TLS scope appropriate for your deployment:
SettingRecommended ValueDescription
Enable External TLSYesEncrypts client-to-HAProxy traffic
Enable Internal TLSYesEncrypts service-to-service traffic
Enable Backend TLSYesEncrypts HAProxy-to-service traffic
For greenfield deployments, enable all three scopes from the start. For existing clusters, enable external TLS first, then internal TLS in a second maintenance window.

Configure Certificate Source

Select the certificate source for external TLS:
  • Self-signed: Xloud generates certificates automatically using the internal CA
  • CA-signed: Upload your organization’s certificate and private key
  • Let’s Encrypt: Provide a domain name and contact email for automatic provisioning
Upload the certificate bundle if using CA-signed certificates.

Apply Configuration

Click Save and Deploy. XDeploy runs the TLS configuration playbook across all nodes.
All services restart with TLS enabled. HAProxy health checks confirm green status.

Certificate Management

Self-Signed Certificates

Xloud uses an internal CA to generate self-signed certificates for all services. The CA certificate must be distributed to all clients that communicate with the platform.
Export internal CA certificate
cat /etc/xavs/certificates/ca/xloud-ca.crt
Import this CA certificate into your browser, operating system trust store, or client configuration to avoid certificate validation errors.

CA-Signed Certificates

Generate a CSR

Generate certificate signing request
openssl req -new -newkey rsa:4096 -nodes \
  -keyout haproxy.key \
  -out haproxy.csr \
  -subj "/CN=<your-vip-hostname>/O=Your Organization/C=IN" \
  -addext "subjectAltName=DNS:<hostname>,IP:<vip-ip>"

Submit CSR to your CA

Submit haproxy.csr to your certificate authority. The CA returns a signed certificate (haproxy.crt) and the CA chain (ca-chain.crt).

Install the signed certificate

Install certificate files
cp haproxy.crt      /etc/xavs/certificates/haproxy.crt
cp haproxy.key      /etc/xavs/certificates/haproxy.key
cp ca-chain.crt     /etc/xavs/certificates/ca/xloud-ca.crt
xavs-ansible deploy --tags haproxy

Certificate Renewal

Certificates must be renewed before expiry. Monitor certificate expiration and plan renewals at least 30 days in advance. An expired certificate causes authentication failures across all platform services.
Check certificate expiration
openssl x509 -in /etc/xavs/certificates/haproxy.crt -noout -enddate

HAProxy TLS Termination

HAProxy terminates external TLS at the VIP and forwards requests to upstream services. The configuration supports both TLS termination (backend plain) and TLS pass-through (backend TLS).
ModeDescriptionUse Case
TerminationHAProxy decrypts; backend receives plain HTTPDefault — simplifies backend config
Re-encryptionHAProxy decrypts; re-encrypts to backendMaximum security; backend TLS required
Pass-throughHAProxy forwards encrypted bytes unchangedEnd-to-end mTLS for specific services
The default configuration uses TLS termination for external traffic and re-encryption for backend traffic when kolla_enable_tls_backend: "yes" is set.

Service Endpoint Hardening

Restrict API endpoints to the minimum required versions. For Xloud Compute, disable legacy v2.0 and enforce v2.1:
/etc/xavs/globals.d/_60_endpoint_hardening.yml
nova_api_enabled_apis: "osapi_compute,metadata"
Enforce modern cipher suites and disable weak protocols. Add to the HAProxy global configuration:
Cipher suite hardening
kolla_tls_min_version: "TLSv1.2"
kolla_tls_ciphers: "ECDHE+AESGCM:ECDHE+CHACHA20:!aNULL:!MD5:!DSS"
This disables TLS 1.0, TLS 1.1, and all weak cipher suites including RC4, 3DES, and export ciphers.
For Dashboard (Horizon) endpoints, enable HTTP Strict Transport Security to prevent protocol downgrade attacks:
HSTS configuration
horizon_enable_hsts: "yes"
horizon_hsts_max_age: 31536000
Reduce the default token lifetime to limit the window of exposure for compromised tokens:
Token expiry configuration
keystone_token_expiration: 3600
keystone_allow_expired_window: 300
The default token lifetime is 3600 seconds (1 hour). Reduce to 1800 for sensitive environments.

Validation

Verify TLS is active across all platform endpoints:
Navigate to the XDeploy Services view. All service health indicators should show green. Click on any service to view its TLS status.
All services show a valid certificate with a matching hostname and a future expiry date.

Next Steps

Hardening Guide

OS-level hardening, SSH configuration, and service minimization to complement TLS

API Security

Token authentication, application credentials, and RBAC enforcement

Compliance

Audit logging, log retention, and compliance framework mapping

Network Security

Security groups, FWaaS, and network segmentation