Pierre, In Diablo and Essex it is a common deployment pattern to serve Keystone via SSL proxy or run Keystone as a mod_wsgi application directly. Running like this provides connection security between the clients and the Keystone server.
Adam Young provided a good example of doing this via Apache httpd on a blog post of his: http://adam.younglogic.com/2012/04/keystone-httpd/ Best, Nate On Aug 3, 2012 5:23 AM, "Pierre Amadio" <pierre.ama...@canonical.com> wrote: > Hi there ! > > I have an essex install that works, and am trying now to do the same > thing but with SSL for keystone communication. > > I am using Ubuntu 12.04 > > I followed http://docs.openstack.org/developer/keystone/configuration.html > > On a remote box that will serve as my CA, i generated an auto signed > root certificate: > > cd /etc/ssl > sudo /usr/lib/ssl/misc/CA.pl -newca > > This generated a /etc/ssl/demoCA/cacert.pem file wich i think is to copy > on my keystone node wherever ca_certs in the config file points to. Right ? > > So i have stored this file on /etc/ssl/cacert.pem > > On my keystone box, i generate a certificate request: > > sudo openssl req -nodes -out keystone-req.pem -new -newkey rsa:2048 > -keyout cert.key -days 1095 > sudo mv cert.key /etc/ssl/ > sudo chmod 0600 /etc/ssl/cert.key > > I send a copy of kesytone-req.pem on my CA box and sign it: > > cd /etc/ssl > sudo openssl ca -policy policy_anything -out keystone-cert.crt -infiles > keystone-req.pem > > I copy back the signed keystone-cert.crt file on my keystone box in > /etc/ssl/keystone-cert.crt > > I add the following on /etc/keystone/kesytone.conf : > > [ssl] > enable = True > certfile = /etc/ssl/keystone-cert.crt > keyfile = /etc/ssl/cert.key > ca_certs = /etc/ssl/cacert.pem > cert_required = True > > >From there, i was expecting to "just" have to restart keystone and start > using the keystone client with a https SERVICE_ENDPOINT environment > variable so i could create services, tenants, users and so on. > > However, it looks to me like keystone is not even trying to negociate a > ssl handshake: > > $ export SERVICE_ENDPOINT=https://192.168.122.3:35357/v2.0/ > $ export SERVICE_TOKEN=whatever > $ keystone user-list > > No handlers could be found for logger "keystoneclient.client" > Unable to communicate with identity service: [Errno 1] _ssl.c:504: > error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. > (HTTP 400) > > >From a tcpdump: > > ######################################### > ...........P....e...O..........4..6w....q}...V... > .".!.9.8.........5............... ... > .........3.2.....E.D...../...A..................I......... > .4.2... ........... > ...................................#.......<head> > <title>Error response</title> > </head> > <body> > <h1>Error response</h1> > <p>Error code 400. > <p>Message: Bad request syntax > > ('\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x1b\x86\x7f\xaee\x03\xb9\x88O\x9b\xf9\xa6\xff\x85\xea\xe8\xf7\x9e\xe64\x8f\xc86w\xa1\xd7\xb6\xc3q}\x03\x00\x00V\xc0\x14\xc0'). > <p>Error code explanation: 400 = Bad request syntax or unsupported method. > </body> > ########################################## > > I do not understand what i am doing wrong, nor am i 100% sure this is > suppose to work yet. > > According to the following blue print, i think it should be available in > essex: > > https://blueprints.launchpad.net/keystone/+spec/2-way-ssl > > At the bottom of the blueprint, there are 2 "addressed by" links with a > set of patches: > > https://review.openstack.org/1038 > https://review.openstack.org/7706 > > But i do not find trace of those patches in the ubuntu package > > ii keystone > 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service - > Daemons > ii python-keystone > 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service - > Python library > ii python-keystoneclient 2012.1-0ubuntu1 > Client libary for Openstack Keystone API > > I also fail to find trace of those in a git checkout of the > refs/heads/stable/essex branch of keystone's git repository. > > I am confused. > > Any help would be appreciated. > > > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp