Pierre,
In Diablo and Essex it is a common deployment pattern to serve Keystone via
SSL proxy or run Keystone as a mod_wsgi application directly. Running like
this provides connection security between the clients and the Keystone
server.
Adam Young provided a good example of doing this via Apache httpd on a blog
post of his: http://adam.younglogic.com/2012/04/keystone-httpd/
Best,
Nate
On Aug 3, 2012 5:23 AM, Pierre Amadio pierre.ama...@canonical.com wrote:
Hi there !
I have an essex install that works, and am trying now to do the same
thing but with SSL for keystone communication.
I am using Ubuntu 12.04
I followed http://docs.openstack.org/developer/keystone/configuration.html
On a remote box that will serve as my CA, i generated an auto signed
root certificate:
cd /etc/ssl
sudo /usr/lib/ssl/misc/CA.pl -newca
This generated a /etc/ssl/demoCA/cacert.pem file wich i think is to copy
on my keystone node wherever ca_certs in the config file points to. Right ?
So i have stored this file on /etc/ssl/cacert.pem
On my keystone box, i generate a certificate request:
sudo openssl req -nodes -out keystone-req.pem -new -newkey rsa:2048
-keyout cert.key -days 1095
sudo mv cert.key /etc/ssl/
sudo chmod 0600 /etc/ssl/cert.key
I send a copy of kesytone-req.pem on my CA box and sign it:
cd /etc/ssl
sudo openssl ca -policy policy_anything -out keystone-cert.crt -infiles
keystone-req.pem
I copy back the signed keystone-cert.crt file on my keystone box in
/etc/ssl/keystone-cert.crt
I add the following on /etc/keystone/kesytone.conf :
[ssl]
enable = True
certfile = /etc/ssl/keystone-cert.crt
keyfile = /etc/ssl/cert.key
ca_certs = /etc/ssl/cacert.pem
cert_required = True
From there, i was expecting to just have to restart keystone and start
using the keystone client with a https SERVICE_ENDPOINT environment
variable so i could create services, tenants, users and so on.
However, it looks to me like keystone is not even trying to negociate a
ssl handshake:
$ export SERVICE_ENDPOINT=https://192.168.122.3:35357/v2.0/
$ export SERVICE_TOKEN=whatever
$ keystone user-list
No handlers could be found for logger keystoneclient.client
Unable to communicate with identity service: [Errno 1] _ssl.c:504:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
(HTTP 400)
From a tcpdump:
#
...Pe...O..4..6wq}...V...
..!.9.8.5... ...
.3.2.E.D./...A..I.
.4.2... ...
...#...head
titleError response/title
/head
body
h1Error response/h1
pError code 400.
pMessage: Bad request syntax
('\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x1b\x86\x7f\xaee\x03\xb9\x88O\x9b\xf9\xa6\xff\x85\xea\xe8\xf7\x9e\xe64\x8f\xc86w\xa1\xd7\xb6\xc3q}\x03\x00\x00V\xc0\x14\xc0').
pError code explanation: 400 = Bad request syntax or unsupported method.
/body
##
I do not understand what i am doing wrong, nor am i 100% sure this is
suppose to work yet.
According to the following blue print, i think it should be available in
essex:
https://blueprints.launchpad.net/keystone/+spec/2-way-ssl
At the bottom of the blueprint, there are 2 addressed by links with a
set of patches:
https://review.openstack.org/1038
https://review.openstack.org/7706
But i do not find trace of those patches in the ubuntu package
ii keystone
2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
Daemons
ii python-keystone
2012.1+stable~20120608-aff45d6-0ubuntu1 OpenStack identity service -
Python library
ii python-keystoneclient 2012.1-0ubuntu1
Client libary for Openstack Keystone API
I also fail to find trace of those in a git checkout of the
refs/heads/stable/essex branch of keystone's git repository.
I am confused.
Any help would be appreciated.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp