More security updates

vmware · Dec 22, 2017 · c36adfb · c36adfb
1 parent 3eda8fc
commit c36adfb
Show file tree

Hide file tree

Showing 10 changed files with 286 additions and 86 deletions.
diff --git a/docs/user_doc/SUMMARY.md b/docs/user_doc/SUMMARY.md
@@ -48,7 +48,7 @@
      * [Security](vic_vsphere_admin/vch_security.md)
          * [Auto-Generated Certificates](vic_vsphere_admin/tls_auto_certs.md)
          * [Custom Certificates](vic_vsphere_admin/tls_custom_certs.md)
-         * [Unrestricted Access](vic_vsphere_admin/tls_unrestricted.md)
+         * [Disable Certificate Verification](vic_vsphere_admin/tls_unrestricted.md)
          * [Registry Access](vic_vsphere_admin/vch_registry.md) 
      * [Operations User](vic_vsphere_admin/set_up_ops_user.md)
      * [Finish VCH Deployment](vic_vsphere_admin/complete_vch_deployment_client.md)
@@ -65,10 +65,10 @@
          * [Obtain General VCH Information and Connection Details](vic_vsphere_admin/inspect_vch.md)
          * [Obtain VCH Configuration Information](vic_vsphere_admin/inspect_vch_config.md)
          * [Configure Running VCHs](vic_vsphere_admin/configure_vch.md)
-         * [Delete VCHs](vic_vsphere_admin/remove_vch.md)
          * [Debug Running VCHs](vic_vsphere_admin/debug_vch.md)
              * [Enable Shell Access](vic_vsphere_admin/vch_shell_access.md)
              * [Authorize SSH Access](vic_vsphere_admin/vch_ssh_access.md) 
+     * [Delete VCHs](vic_vsphere_admin/remove_vch.md)
      * [VCH Admin Portal](vic_vsphere_admin/access_vicadmin.md)
          * [Browser-Based Certificate Login](vic_vsphere_admin/browser_login.md)
          * [Command Line Certificate Login](vic_vsphere_admin/cmdline_login.md)

diff --git a/docs/user_doc/vic_vsphere_admin/SUMMARY.md b/docs/user_doc/vic_vsphere_admin/SUMMARY.md
@@ -37,7 +37,7 @@
      * [Security](vch_security.md)
          * [Auto-Generated Certificates](tls_auto_certs.md)
          * [Custom Certificates](tls_custom_certs.md)
-         * [Unrestricted Access](tls_unrestricted.md)
+         * [Disable Certificate Verification](tls_unrestricted.md)
          * [Registry Access](vch_registry.md) 
      * [Operations User](set_up_ops_user.md)
      * [Finish VCH Deployment](complete_vch_deployment_client.md)
@@ -54,10 +54,10 @@
          * [Obtain General VCH Information and Connection Details](inspect_vch.md)
          * [Obtain VCH Configuration Information](inspect_vch_config.md)
          * [Configure Running VCHs](configure_vch.md)
-         * [Delete VCHs](remove_vch.md)
          * [Debug Running VCHs](debug_vch.md)
              * [Enable Shell Access](vch_shell_access.md)
              * [Authorize SSH Access](vch_ssh_access.md) 
+     * [Delete VCHs](remove_vch.md)
      * [VCH Admin Portal](access_vicadmin.md)
          * [Browser-Based Certificate Login](browser_login.md)
          * [Command Line Certificate Login](cmdline_login.md)

diff --git a/docs/user_doc/vic_vsphere_admin/public_network.md b/docs/user_doc/vic_vsphere_admin/public_network.md
@@ -101,6 +101,8 @@ A DNS server for the VCH endpoint VM to use on the public, client, and managemen
 
 Enter a comma-separated list of DNS server addresses in the **DNS server** text box, for example `192.168.10.10,192.168.10.11`. 
 
+If you are using the Create Virtual Container Host wizard and you set a static IP address on the public network, you must configure a DNS server.
+
 #### vic-machine Option 
 
 `--dns-server`, None

diff --git a/docs/user_doc/vic_vsphere_admin/security_reference.md b/docs/user_doc/vic_vsphere_admin/security_reference.md
@@ -19,7 +19,7 @@ When deploying VCHs, you must provide the certificate thumbprint of the vCenter
 
 ### Docker Client Authentication with VCHs
 
-VCHs authenticate Docker API clients by using client certificates. For information about VCHs and client authentication, see [Virtual Container Host Security](vch_security.md). Be aware that it is possible to use the `--no-tlsverify` and `--no-tls` options to deploy VCHs that do not authenticate client connections. For information about the `--no-tlsverify` and `--no-tls` options, see [Unrestricted Access to the Docker API](tls_unrestricted.md).
+VCHs authenticate Docker API clients by using client certificates. For information about VCHs and client authentication, see [Virtual Container Host Security](vch_security.md). Be aware that it is possible to use the `--no-tlsverify` and `--no-tls` options to deploy VCHs that do not authenticate client connections. For information about the `--no-tlsverify` and `--no-tls` options, see [Disable Certificate Authentication](tls_unrestricted.md).
 
 ## Network Security <a id="network"></a>
 

diff --git a/docs/user_doc/vic_vsphere_admin/tls_auto_certs.md b/docs/user_doc/vic_vsphere_admin/tls_auto_certs.md
diff --git a/docs/user_doc/vic_vsphere_admin/tls_custom_certs.md b/docs/user_doc/vic_vsphere_admin/tls_custom_certs.md
@@ -1,4 +1,4 @@
-# Restrict Access to the Docker API with Custom Certificates <a id="restrict_custom"></a>
+# Use Custom Server Certificates
 
 To exercise fine control over the certificates that VCHs use, you must obtain or generate custom certificates yourself before you deploy a VCH. You can create a VCH that uses a custom server certificate, for example  a server certificate that has been signed by Verisign or another public root. For information about how to create custom certificates for use with Docker, see [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/) in the Docker documentation. 
 
@@ -32,6 +32,8 @@ The path to a custom X.509 server certificate. This certificate identifies the V
 - Use this option in combination with the `--tls-server-key` option, that provides the path to the private key file for the custom certificate.
 - Include the names of the certificate and key files in the paths.
 
+If you provide a custom server certificate by using the `--tls-server-cert` option, you can use `--tls-cname` as a sanity check to ensure that the certificate is valid for the deployment.
+
 If you use custom certificates, container developers run Docker commands with the `--tlsverify`, `--tlscacert`, `--tlscert`, and `--tlskey` options. For more information about how to connect Docker clients to VCHs, see [Configure the Docker Client for Use with vSphere Integrated Containers](../vic_app_dev/configure_docker_client.md). 
 
 **Usage**:
@@ -86,6 +88,8 @@ This example `vic-machine create` command deploys a VCH with the following confi
 </pre>
 
 
+
+
 ### Combine Custom Server Certificates and Auto-Generated Client Certificates <a id="certcombo"></a>
 
 You can create a VCH with a custom server certificate by specifying the paths to custom `server-cert.pem` and `server-key.pem` files in the `--tls-server-cert` and `--tls-server-key` options. The key should be un-encrypted. Specifying the `--tls-server-cert` and `--tls-server-key` options for the server certificate does not affect the automatic generation of client certificates. If you specify the [`--tls-cname`](tls_auto_certs.md#tls-cname) option to match the common name value of the server certificate, `vic-machine create` generates self-signed certificates for Docker client authentication and deployment of the VCH succeeds.

diff --git a/docs/user_doc/vic_vsphere_admin/tls_unrestricted.md b/docs/user_doc/vic_vsphere_admin/tls_unrestricted.md
@@ -1,19 +1,41 @@
-# Unrestricted Access to the Docker API <a id="unrestricted"></a>
+# Disable Certificate Authentication
 
-To deploy a VCH that does not restrict access to the Docker API but still encrypts communication between clients and the VCH, use the `--no-tlsverify` option. To completely disable TLS authentication and encryption, use the `--no-tls` option.
+To deploy a virtual container host (VCH) that does not restrict access to the Docker API but still encrypts communication between clients and the VCH, you can disable client certificate verification. You can also completely disable TLS authentication and encryption on both the client and server sides.
 
-- [`vic-machine` Options](#options)
+- [Options](#options)
+  - [Disable Secure Access](#no-tls)
+  - [Disable Client Certificate Verification](#no-tlsverify) 
 - [Example `vic-machine` Commands](#examples)
 
-## `vic-machine` Options <a id="options"></a>
+## Options <a id="options"></a>
 
-The `--no-tls` option is exposed in the `vic-machine create` help if you run `vic-machine create --extended-help`, or `vic-machine create -x`.
+The sections in this topic each correspond to an entry in the Docker API Access tab in the Security page of the Create Virtual Container Host wizard, and to the  corresponding `vic-machine create` options.
 
-### `--no-tlsverify` <a id="no-tlsverify"></a>
+### Disable Secure Access <a id="no-tls"></a>
 
-**Short name**: `--kv`
+You can completely disable TLS authentication of connections between  Docker clients and the VCH. VCHs use neither client nor server certificates. Any Docker client can connect to the VCH if you disable TLS authentication and connections are not encrypted. 
 
-The `--no-tlsverify` option prevents the use of CAs for client authentication. You still require a server certificate if you use `--no-tlsverify`. You can supply a custom server certificate by using the  [`--tls-server-cert`](tls_custom_certs.md#cert) and [`--tls-server-key`](tls_custom_certs.md#key) options. If you specify `--no-tlsverify` but do not use `--tls-server-cert` and `--tls-server-key` to supply a custom server certificate, `vic-machine create` generates a self-signed server certificate. If you specify `--no-tlsverify` there is no access control, however connections remain encrypted.
+**IMPORTANT**: Disabling secure access is for testing purposes only. Do not disable secure access in production environments.
+
+If you use the `no-tls` option, container developers connect Docker clients to the VCH via the HTTP port, 2375, instead of via the HTTPS port, 2376.
+
+#### Create VCH Wizard
+
+Toggle the **Enable secure access to this VCH** switch to the gray off position.
+
+#### vic-machine Option 
+
+`--no-tls`, `-k`
+
+Run `vic-machine create` with the `--no-tls` option. The `--no-tls` option is exposed in the `vic-machine create` help if you run `vic-machine create --extended-help`, or `vic-machine create -x`.
+
+The `--no-tls` option takes no arguments.
+
+<pre>--no-tls</pre>
+
+### Disable Client Certificate Verification <a id="no-tlsverify"></a>
+
+Disabling client certificate verification prevents the use of CAs for client authentication. You still require a server certificate if you use `--no-tlsverify`. You can supply a custom server certificate by using the  [`--tls-server-cert`](tls_custom_certs.md#cert) and [`--tls-server-key`](tls_custom_certs.md#key) options. If you specify `--no-tlsverify` but do not use `--tls-server-cert` and `--tls-server-key` to supply a custom server certificate, `vic-machine create` generates a self-signed server certificate. If you specify `--no-tlsverify` there is no access control, however connections remain encrypted.
 
 When you specify the `--no-tlsverify` option, `vic-machine create` performs the following actions during the deployment of the VCH.
 
@@ -23,27 +45,19 @@ When you specify the `--no-tlsverify` option, `vic-machine create` performs the
 
 If you deploy a VCH with the `--no-tlsverify` option, container developers run Docker commands with the `--tls` option, and the `DOCKER_TLS_VERIFY` environment variable must not be set. Note that setting `DOCKER_TLS_VERIFY` to 0 or `false` has no effect. For more information about how to connect Docker clients to VCHs, see [Configure the Docker Client for Use with vSphere Integrated Containers](../vic_app_dev/configure_docker_client.md).
 
-**Usage**:
-
-The `--no-tlsverify` option takes no arguments. 
-
-<pre>--no-tlsverify</pre>
-
-### `--no-tls` <a id="no-tls"></a>
+#### Create VCH Wizard
 
-**Short name**: `-k`
+Toggle the **Client Certificates** switch to the gray off position.
 
-Disables TLS authentication of connections between the Docker client and the VCH. VCHs use neither client nor server certificates.
+#### vic-machine Option 
 
-Set the `no-tls` option if you do not require TLS authentication between the VCH and the Docker client, for example for testing purposes. Any Docker client can connect to the VCH if you disable TLS authentication and connections are not encrypted. 
+`--no-tlsverify`, `--kv`
 
-If you use the `no-tls` option, container developers connect Docker clients to the VCH via the HTTP port, 2375, instead of via the HTTPS port, 2376.
+--no-tlsverify: the certificate generated with this option is a _server certificate_ and should exist on the VCH endpoint VM and should not be needed by Admiral. This certificate allows the client to confirm the servers identity (as with banking websites, etc) so long as the client can validate the certificate chain - this may require the CA be provided to the client if using self-signed certificates. The server certificate files should now be named as expected by the docker client. This does not require the client to verify it's identity for the server.
 
-**Usage**:
+Run `vic-machine create` with the `--no-tlsverify` option. The `--no-tlsverify` option takes no arguments. 
 
-The `--no-tls` option takes no arguments.
-
-<pre>--no-tls</pre>
+<pre>--no-tlsverify</pre>
 
 ## Example `vic-machine` Commands <a id="examples"></a>
 
@@ -55,7 +69,7 @@ The `--no-tls` option takes no arguments.
 
 You use the `--no-tlsverify` option with no other TLS options to disable client authentication and auto-generate a server certificate.
 
-This example `vic-machine create` command deploys a VCH with the following configuration:
+This example deploys a VCH with the following configuration:
 
 - Specifies the user name, password, image store, cluster, bridge network, and name for the VCH.
 - Specifies `--no-tlsverify` to disable client authentication.
@@ -74,7 +88,7 @@ This example `vic-machine create` command deploys a VCH with the following confi
 
 You use the `--tls-server-cert`, `--tls-server-key`, and `--no-tlsverify` options to use a custom X.509 server certificate and key and disable client authentication.
 
-This example `vic-machine create` command deploys a VCH with the following configuration:
+This example deploys a VCH with the following configuration:
 
 - Specifies the user name, password, image store, cluster, bridge network, and name for the VCH.
 - Provides the paths relative to the current location of the `*.pem` files for the custom server certificate and key files.
@@ -96,7 +110,7 @@ This example `vic-machine create` command deploys a VCH with the following confi
 
 You use the `--no-tls` option with no other TLS options to disable client and server authentication.
 
-This example `vic-machine create` command deploys a VCH with the following configuration:
+This example deploys a VCH with the following configuration:
 
 - Specifies the user name, password, image store, cluster, bridge network, and name for the VCH.
 - Specifies `--no-tls` to disable client and server authentication.
@@ -110,4 +124,3 @@ This example `vic-machine create` command deploys a VCH with the following confi
 --thumbprint <i>certificate_thumbprint</i>
 --no-tls
 </pre>
-
diff --git a/docs/user_doc/vic_vsphere_admin/vch_admin.md b/docs/user_doc/vic_vsphere_admin/vch_admin.md
@@ -5,6 +5,7 @@ You can monitor and perform administration tasks on virtual container hosts (VCH
 * [Interoperability](interop.md)
 * [Virtual Container Host Administration in the vSphere Client](vch_admin_client.md)
 * [Virtual Container Host Administration with `vic-machine`](vch_admin_vicmachine.md)
+* [Delete Virtual Container Hosts](remove_vch.md)
 * [Virtual Container Host Administration Portal](access_vicadmin.md)
 
 
diff --git a/docs/user_doc/vic_vsphere_admin/vch_registry.md b/docs/user_doc/vic_vsphere_admin/vch_registry.md
@@ -1,4 +1,4 @@
-# Connect Virtual Container Hosts to Registries #
+# Configure Registry Access #
 
 If you use vSphere Integrated Containers Registry, or if container developers need to access Docker images that are stored in other private registry servers, you must configure virtual container hosts (VCHs) to allow them to connect to these private registry servers when you deploy the VCHs. VCHs can connect to both secure and insecure private registry servers. You can also configure VCHs so that they can only access images from a whitelist of approved registries.