Yes keystone can run under SSL using the eventlet server. Look for the ssl section in keystone.conf https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L296
You'll want to set enabled, certfile and keyfile, from memory ca_certs is to do with client side certs. Jamie ----- Original Message ----- > From: "Mark M Miller (EB SW Cloud - R&D - Corvallis)" <mark.m.mil...@hp.com> > To: "OpenStack Development Mailing List" <openstack-dev@lists.openstack.org> > Sent: Saturday, 26 October, 2013 4:31:09 AM > Subject: Re: [openstack-dev] Keystone TLS Question > > > > Hello again, > > > > It looks to me that TLS is automatically supported by the Keystone Havana. I > performed the following curl call and it seems to indicate that Keystone is > using TLS. Can anyone validate that Keystone Havana does or does not support > TLS? > > > > Thanks, > > > > Mark > > > > root@build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone# curl -v --insecure > https://15.253.58.165:35357/v2.0/certificates/signing > > > > * About to connect() to 15.253.58.165 port 35357 (#0) > > * Trying 15.253.58.165... connected > > * successfully set certificate verify locations: > > * CAfile: none > > CApath: /etc/ssl/certs > > * SSLv3, TLS handshake, Client hello (1): > > * SSLv3, TLS handshake, Server hello (2): > > * SSLv3, TLS handshake, CERT (11): > > * SSLv3, TLS handshake, Server finished (14): > > * SSLv3, TLS handshake, Client key exchange (16): > > * SSLv3, TLS change cipher, Client hello (1): > > * SSLv3, TLS handshake, Finished (20): > > * SSLv3, TLS change cipher, Client hello (1): > > * SSLv3, TLS handshake, Finished (20): > > * SSL connection using AES256-SHA > > * Server certificate: > > * subject: C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone; > emailAddress=keyst...@openstack.org; CN=Keystone > > * start date: 2013-03-15 01:44:55 GMT > > * expire date: 2013-03-15 01:44:55 GMT > > * common name: Keystone (does not match '15.253.58.165') > > * issuer: serialNumber=5; C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone; > emailAddress=keyst...@openstack.org; CN=Self Signed > > * SSL certificate verify result: unable to get local issuer certificate (20), > continuing anyway. > > > GET /v2.0/certificates/signing HTTP/1.1 > > > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 > > zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > > > Host: 15.253.58.165:35357 > > > Accept: */* > > > > > < HTTP/1.1 200 OK > > < Content-Type: text/html; charset=UTF-8 > > < Content-Length: 973 > > < Date: Fri, 25 Oct 2013 18:27:52 GMT > > < > > -----BEGIN CERTIFICATE----- > > MIICoDCCAgkCAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV > > BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK > > EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr > > ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x > > … > > 3S9E696tVhWqc+HAW91KgZcIwAgQrxWeC0x5O76Q3MGrxvWwyMHPlsxyL4H67AnI > > wq8zJxOFtzvP8rVWrQ3PnzBozXKuU3VLPqAsDI4nDxjqFpVf3LYCFDRueS2EI5xc > > 5/rt9g== > > -----END CERTIFICATE----- > > * Connection #0 to host 15.253.58.165 left intact > > * Closing connection #0 > > * SSLv3, TLS alert, Client hello (1): > > root@build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone# > > > > > > > > > > > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > Sent: Friday, October 25, 2013 8:58 AM > To: OpenStack Development Mailing List > Subject: [openstack-dev] Keystone TLS Question > > > > > > Hello, > > > > Is there any direct TLS support by Keystone other than using the Apache2 > front end? > > > > Mark > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev