Ask Your Question
0

How to strictly enable SSL for all the API access URL's for openstack ?

asked 2019-02-03 11:11:50 -0600

suhesh gravatar image

I have installed "OpenStack 14 (Rocky)". The dashboard is already secured with SSL. I noticed all the API access url's are http://. I need to convert all links to encrypted ( SSL ) ones.

Is there any issue in setting all api url's to https?

I followed the following link for the installation of Openstack. https://keithtenzer.com/2018/10/16/openstack-14-rocky-lab-installation-and-configuration-guide-for-hetzner-root-servers/ (https://keithtenzer.com/2018/10/16/op...)

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by » oldest newest most voted
0

answered 2019-02-04 23:37:44 -0600

Eranachandran gravatar image

updated 2019-02-04 23:38:55 -0600

Configuring Self-Signed Certificate for Keystone API Service endpoints

In /etc/apache2/sites-available/ location keystone.conf will be available,this file is used to configure Self-Signed Certificate for this endpoint. Add the client.pem and client-key.pem in <virtualhost *:5000=""> and <virtualhost *:35357="">

Now the Self-Signed Certificate configuration for keystone service API endpoints in done. After this, change the keystone endpoint url from http to https in admin-openrc and demo-openrc files and make the change in endpoints urls from http to https in Database or recreate the endpoints with https url and populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart the apache2 service. Check this service by issuing this command openstack token issue –insecure Note: –insecure should be added with the commands for skip the verification of Self-Signed Certificate

Configuring Self-Signed Certificate for Glance API Service endpoints

Update /etc/glance/glance-api.conf

[DEFAULT]

cert_file = /etc/ssl/client.pem

key_file = /etc/ssl/client-key.pem

[keystone_authtoken]

auth_uri = https://controller:5000

auth_url = https://controller:35357

certfile = /etc/ssl/client.pem

keyfile = /etc/ssl/client-key.pem

insecure = true

Update /etc/glance/glance-registry.conf

[DEFAULT]

cert_file = /etc/ssl/client.pem

key_file = /etc/ssl/client-key.pem

[keystone_authtoken]

auth_uri = https://controller:5000

auth_url = https://controller:35357

certfile = /etc/ssl/client.pem

keyfile = /etc/ssl/client-key.pem

insecure = true

After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url or recreate endpoints.Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart glance-api and glance-registry Services. Check this configuration by issuing this command OpenStack image list –insecure, After issuing this command the glance images will be listed .

I have written blog For securing service API endpoint, view blog at eranachandran.com

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-02-03 11:11:50 -0600

Seen: 392 times

Last updated: Feb 04 '19

Related questions

native ssl not working with devstack

keystone ssl certificate expires after one year

LBaaS ssl offloading

Cinder-volume with ssl-enabled database connection

Why is nova cli not using https?

Problem using the API with python

Is it possible to add SSL to keystone API ?

Secure communication between nova sub components

Nova - docker installation breaks before installing [closed]

Dedicated novnc proxy server