In you keystone.conf under signing section, make sure your entries are pointing to these generated files. In your config file [signing] section is empty
Thanks Haneef From: Li, Chen [mailto:chen...@intel.com] Sent: Wednesday, March 05, 2014 9:04 PM To: Ali, Haneef; Adam Young; openstack@lists.openstack.org Subject: RE: [Openstack] issue when I using PKI for token format Still not work... keystone user-list Authorization Failed: Unable to sign token. (HTTP 500) Thanks. -chen id uid=0(root) gid=0(root) groups=0(root) keystone-manage pki_setup --keystone-user 0 --keystone-group 0 2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ..................................................................................................................................................+++ .......................................+++ e is 65537 (0x10001) 2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com 2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048 Generating RSA private key, 2048 bit long modulus ........+++ ..+++ e is 65537 (0x10001) 2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com 2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem Using configuration from /etc/keystone/ssl/certs/openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'Unset' localityName :ASN.1 12:'Unset' organizationName :ASN.1 12:'Unset' commonName :ASN.1 12:'www.example.com' Certificate is to be certified until Mar 3 05:01:20 2024 GMT (3650 days) Write out database with 1 new entries Data Base Updated From: Ali, Haneef [mailto:haneef....@hp.com] Sent: Thursday, March 06, 2014 12:53 PM To: Li, Chen; Adam Young; openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: RE: [Openstack] issue when I using PKI for token format The user/group are not the user, group created in the keystone. They are unix user and unix group. Just run "id" command in unix and take the user name and group name Thanks Haneef From: Li, Chen [mailto:chen...@intel.com] Sent: Wednesday, March 05, 2014 8:22 PM To: Adam Young; openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] issue when I using PKI for token format I remember somewhere ask me to do at the very beginning... But I can't re-produce that anymore. Anyway, When I run command keystone-manage pki_setup I get : usage: keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup [-h] --keystone-user KEYSTONE_USER --keystone-group KEYSTONE_GROUP keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup: error: argument --keystone-user is required ð I change my ENV to: export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=http://host-keystone:35357/v2.0 Then run keystone user-list +----------------------------------+---------+---------+-------+ | id | name | enabled | email | +----------------------------------+---------+---------+-------+ | 618d4218ae584b25a5c0594a6dd1efd4 | cinder | True | | | 851c80fe95d64569a701ca0f461e87eb | glance | True | | | dad121e464174060a4eb46c5fed019bf | lichen | True | | | 958cb6cb788643b79125f1af5d7846d9 | neutron | True | | | 43ecc4544517446e85ecaca34416244b | nova | True | | +----------------------------------+---------+---------+-------+ keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | 044f5ddb818f4b78b9f4aa0e0affd05d | services | True | | 1e57be810f854bcdb73901567140ac48 | test | True | +----------------------------------+----------+---------+ Then run keystone-manage pki_setup --keystone-user dad121e464174060a4eb46c5fed019bf --keystone-group 1e57be810f854bcdb73901567140ac48 I get : 2014-03-06 12:20:04.841 19854 CRITICAL keystone [-] Unknown user 'dad121e464174060a4eb46c5fed019bf' in --keystone-user Then run keystone-manage pki_setup --keystone-user lichen --keystone-group 1e57be810f854bcdb73901567140ac48 I get : 2014-03-06 12:20:59.792 20029 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user Then run keystone-manage pki_setup --keystone-user lichen --keystone-group test I get : 2014-03-06 12:21:24.603 20113 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user I don't know how to run the command anymore..... Thanks. -chen From: Adam Young [mailto:ayo...@redhat.com] Sent: Thursday, March 06, 2014 11:56 AM To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] issue when I using PKI for token format On 03/05/2014 08:59 PM, Li, Chen wrote: Hi, I'm working under CentOS 6.4 + Havana, my keystone version is: openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana When I run command "keystone user-list", I get error: Authorization Failed: Unable to sign token. (HTTP 500) I can get error information in both "keystone-startup.log" and "keystone.log": Did you run keystone-manage pki_setup? Problem is something with your certificates. 2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup' 2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last): 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile) 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name) 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl") 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3 2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki 2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token. ~ Anyone know why this happened ??? Thanks. -chen My /etc/keystone/keystone.conf : [DEFAULT] [sql] connection = mysql://keystone:keystone@host-db/keystone [identity] [credential] [trust] [os_inherit] [catalog] driver = keystone.catalog.backends.sql.Catalog [endpoint_filter] [token] driver = keystone.token.backends.memcache.Token [cache] [policy] [ec2] [assignment] [oauth1] [ssl] [signing] [ldap] [auth] methods = external,password,token,oauth1 password = keystone.auth.plugins.password.Password token = keystone.auth.plugins.token.Token oauth1 = keystone.auth.plugins.oauth1.OAuth [paste_deploy] _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
