Ask Your Question
0

How to strictly enable SSL for all the API access URL's for openstack ?

asked 2019-02-03 11:11:50 -0500

suhesh gravatar image

I have installed "OpenStack 14 (Rocky)". The dashboard is already secured with SSL. I noticed all the API access url's are http://. I need to convert all links to encrypted ( SSL ) ones.

Is there any issue in setting all api url's to https?

I followed the following link for the installation of Openstack. https://keithtenzer.com/2018/10/16/openstack-14-rocky-lab-installation-and-configuration-guide-for-hetzner-root-servers/ (https://keithtenzer.com/2018/10/16/op...)

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2019-02-04 23:37:44 -0500

updated 2019-02-04 23:38:55 -0500

Configuring Self-Signed Certificate for Keystone API Service endpoints

In /etc/apache2/sites-available/ location keystone.conf will be available,this file is used to configure Self-Signed Certificate for this endpoint. Add the client.pem and client-key.pem in <virtualhost *:5000=""> and <virtualhost *:35357="">

Now the Self-Signed Certificate configuration for keystone service API endpoints in done. After this, change the keystone endpoint url from http to https in admin-openrc and demo-openrc files and make the change in endpoints urls from http to https in Database or recreate the endpoints with https url and populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart the apache2 service. Check this service by issuing this command openstack token issue –insecure Note: –insecure should be added with the commands for skip the verification of Self-Signed Certificate

Configuring Self-Signed Certificate for Glance API Service endpoints

Update /etc/glance/glance-api.conf

[DEFAULT]

cert_file = /etc/ssl/client.pem

key_file = /etc/ssl/client-key.pem

[keystone_authtoken]

auth_uri = https://controller:5000

auth_url = https://controller:35357

certfile = /etc/ssl/client.pem

keyfile = /etc/ssl/client-key.pem

insecure = true

Update /etc/glance/glance-registry.conf

[DEFAULT]

cert_file = /etc/ssl/client.pem

key_file = /etc/ssl/client-key.pem

[keystone_authtoken]

auth_uri = https://controller:5000

auth_url = https://controller:35357

certfile = /etc/ssl/client.pem

keyfile = /etc/ssl/client-key.pem

insecure = true

After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url or recreate endpoints.Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart glance-api and glance-registry Services. Check this configuration by issuing this command OpenStack image list –insecure, After issuing this command the glance images will be listed .

I have written blog For securing service API endpoint, view blog at eranachandran.com

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2019-02-03 11:11:50 -0500

Seen: 115 times

Last updated: Feb 04