Re: [Openstack] keystone and ssl ?
Pierre,
In Diablo and Essex it is a common deployment pattern to serve Keystone via
SSL proxy or run Keystone as a mod_wsgi application directly. Running like
this provides connection security between the clients and the Keystone
server.
Adam Young provided a good example of doing this via Apache httpd on a blog
post of his: http://adam.younglogic.com/2012/04/keystone-httpd/
Best,
Nate
On Aug 3, 2012 5:23 AM, "Pierre Amadio" wrote:
> Hi there !
>
> I have an essex install that works, and am trying now to do the same
> thing but with SSL for keystone communication.
>
> I am using Ubuntu 12.04
>
> I followed http://docs.openstack.org/developer/keystone/configuration.html
>
> On a remote box that will serve as my CA, i generated an auto signed
> root certificate:
>
> cd /etc/ssl
> sudo /usr/lib/ssl/misc/CA.pl -newca
>
> This generated a /etc/ssl/demoCA/cacert.pem file wich i think is to copy
> on my keystone node wherever ca_certs in the config file points to. Right ?
>
> So i have stored this file on /etc/ssl/cacert.pem
>
> On my keystone box, i generate a certificate request:
>
> sudo openssl req -nodes -out keystone-req.pem -new -newkey rsa:2048
> -keyout cert.key -days 1095
> sudo mv cert.key /etc/ssl/
> sudo chmod 0600 /etc/ssl/cert.key
>
> I send a copy of kesytone-req.pem on my CA box and sign it:
>
> cd /etc/ssl
> sudo openssl ca -policy policy_anything -out keystone-cert.crt -infiles
> keystone-req.pem
>
> I copy back the signed keystone-cert.crt file on my keystone box in
> /etc/ssl/keystone-cert.crt
>
> I add the following on /etc/keystone/kesytone.conf :
>
> [ssl]
> enable = True
> certfile = /etc/ssl/keystone-cert.crt
> keyfile = /etc/ssl/cert.key
> ca_certs = /etc/ssl/cacert.pem
> cert_required = True
>
> >From there, i was expecting to "just" have to restart keystone and start
> using the keystone client with a https SERVICE_ENDPOINT environment
> variable so i could create services, tenants, users and so on.
>
> However, it looks to me like keystone is not even trying to negociate a
> ssl handshake:
>
> $ export SERVICE_ENDPOINT=https://192.168.122.3:35357/v2.0/
> $ export SERVICE_TOKEN=whatever
> $ keystone user-list
>
> No handlers could be found for logger "keystoneclient.client"
> Unable to communicate with identity service: [Errno 1] _ssl.c:504:
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
> (HTTP 400)
>
> >From a tcpdump:
>
> #
> ...Pe...O..4..6wq}...V...
> .".!.9.8.5... ...
> .3.2.E.D./...A..I.
> .4.2... ...
> ...#...
> Error response
>
>
> Error response
> Error code 400.
> Message: Bad request syntax
>
> ('\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x1b\x86\x7f\xaee\x03\xb9\x88O\x9b\xf9\xa6\xff\x85\xea\xe8\xf7\x9e\xe64\x8f\xc86w\xa1\xd7\xb6\xc3q}\x03\x00\x00V\xc0\x14\xc0').
> Error code explanation: 400 = Bad request syntax or unsupported method.
>
> ##
>
> I do not understand what i am doing wrong, nor am i 100% sure this is
> suppose to work yet.
>
> According to the following blue print, i think it should be available in
> essex:
>
> https://blueprints.launchpad.net/keystone/+spec/2-way-ssl
>
> At the bottom of the blueprint, there are 2 "addressed by" links with a
> set of patches:
>
> https://review.openstack.org/1038
> https://review.openstack.org/7706
>
> But i do not find trace of those patches in the ubuntu package
>
> ii keystone
> 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
> Daemons
> ii python-keystone
> 2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
> Python library
> ii python-keystoneclient 2012.1-0ubuntu1
> Client libary for Openstack Keystone API
>
> I also fail to find trace of those in a git checkout of the
> refs/heads/stable/essex branch of keystone's git repository.
>
> I am confused.
>
> Any help would be appreciated.
>
>
>
>
>
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone and ssl ?
The basic support for SSL has been readded to Keystone earlier this release cycle, alough theres still a few pieces trickling through the pipeline (recent updates to keystone client to allow for self-signed certs). It needs testing, and I dont know that we yet have good deployment option docs (there are several options there) on how to deploy keystone with SSL. The option to use a signed SSL cert as an authenticated "administrative" request itself has not been re-added, instead there was more interest from developers doing the code to focus on getting a base PKI implementation to allow for generically signed tokens in this release. - joe On Aug 3, 2012, at 9:13 AM, Jay Pipes wrote: > On 08/03/2012 05:18 AM, Pierre Amadio wrote: > >> https://blueprints.launchpad.net/keystone/+spec/2-way-ssl >> >> At the bottom of the blueprint, there are 2 "addressed by" links with a >> set of patches: >> >> https://review.openstack.org/1038 >> https://review.openstack.org/7706 >> >> But i do not find trace of those patches in the ubuntu package > >> >> I also fail to find trace of those in a git checkout of the >> refs/heads/stable/essex branch of keystone's git repository. >> >> I am confused. > > The reason is because that code and a bunch of other stuff was ripped > out of Keystone late in the Essex release series with the move to > "Keystone Light", which was essentially a rewrite of Keystone that > replaced the Keystone project that had the code in it that you refer to > above. > > I've cc'd Joe Heck to give you some information on when SSL support > might be re-added to Keystone. > > Best, > -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone and ssl ?
On 08/03/2012 05:18 AM, Pierre Amadio wrote: > https://blueprints.launchpad.net/keystone/+spec/2-way-ssl > > At the bottom of the blueprint, there are 2 "addressed by" links with a > set of patches: > > https://review.openstack.org/1038 > https://review.openstack.org/7706 > > But i do not find trace of those patches in the ubuntu package > > I also fail to find trace of those in a git checkout of the > refs/heads/stable/essex branch of keystone's git repository. > > I am confused. The reason is because that code and a bunch of other stuff was ripped out of Keystone late in the Essex release series with the move to "Keystone Light", which was essentially a rewrite of Keystone that replaced the Keystone project that had the code in it that you refer to above. I've cc'd Joe Heck to give you some information on when SSL support might be re-added to Keystone. Best, -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] keystone and ssl ?
Hi there !
I have an essex install that works, and am trying now to do the same
thing but with SSL for keystone communication.
I am using Ubuntu 12.04
I followed http://docs.openstack.org/developer/keystone/configuration.html
On a remote box that will serve as my CA, i generated an auto signed
root certificate:
cd /etc/ssl
sudo /usr/lib/ssl/misc/CA.pl -newca
This generated a /etc/ssl/demoCA/cacert.pem file wich i think is to copy
on my keystone node wherever ca_certs in the config file points to. Right ?
So i have stored this file on /etc/ssl/cacert.pem
On my keystone box, i generate a certificate request:
sudo openssl req -nodes -out keystone-req.pem -new -newkey rsa:2048
-keyout cert.key -days 1095
sudo mv cert.key /etc/ssl/
sudo chmod 0600 /etc/ssl/cert.key
I send a copy of kesytone-req.pem on my CA box and sign it:
cd /etc/ssl
sudo openssl ca -policy policy_anything -out keystone-cert.crt -infiles
keystone-req.pem
I copy back the signed keystone-cert.crt file on my keystone box in
/etc/ssl/keystone-cert.crt
I add the following on /etc/keystone/kesytone.conf :
[ssl]
enable = True
certfile = /etc/ssl/keystone-cert.crt
keyfile = /etc/ssl/cert.key
ca_certs = /etc/ssl/cacert.pem
cert_required = True
>From there, i was expecting to "just" have to restart keystone and start
using the keystone client with a https SERVICE_ENDPOINT environment
variable so i could create services, tenants, users and so on.
However, it looks to me like keystone is not even trying to negociate a
ssl handshake:
$ export SERVICE_ENDPOINT=https://192.168.122.3:35357/v2.0/
$ export SERVICE_TOKEN=whatever
$ keystone user-list
No handlers could be found for logger "keystoneclient.client"
Unable to communicate with identity service: [Errno 1] _ssl.c:504:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
(HTTP 400)
>From a tcpdump:
#
...Pe...O..4..6wq}...V...
.".!.9.8.5... ...
.3.2.E.D./...A..I.
.4.2... ...
...#...
Error response
Error response
Error code 400.
Message: Bad request syntax
('\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x1b\x86\x7f\xaee\x03\xb9\x88O\x9b\xf9\xa6\xff\x85\xea\xe8\xf7\x9e\xe64\x8f\xc86w\xa1\xd7\xb6\xc3q}\x03\x00\x00V\xc0\x14\xc0').
Error code explanation: 400 = Bad request syntax or unsupported method.
##
I do not understand what i am doing wrong, nor am i 100% sure this is
suppose to work yet.
According to the following blue print, i think it should be available in
essex:
https://blueprints.launchpad.net/keystone/+spec/2-way-ssl
At the bottom of the blueprint, there are 2 "addressed by" links with a
set of patches:
https://review.openstack.org/1038
https://review.openstack.org/7706
But i do not find trace of those patches in the ubuntu package
ii keystone
2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service - Daemons
ii python-keystone
2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
Python library
ii python-keystoneclient 2012.1-0ubuntu1
Client libary for Openstack Keystone API
I also fail to find trace of those in a git checkout of the
refs/heads/stable/essex branch of keystone's git repository.
I am confused.
Any help would be appreciated.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
