Ask Your Question
0

How to setup SSL on Openstack API endpoints

asked 2012-06-26 13:37:14 -0600

george-john gravatar image

Hi, I have Openstack Essex 2012.1 setup on Ubuntu 12.04. I could not find any instructions on how to setup SSL on the openstack API endpoints (HTTPS). I saw a blueprint regarding this : https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl (https://blueprints.launchpad.net/nova...) Reading the blueprint and related bug, I get a feeling that SSL on Openstack API endpoints have not been implemented yet ( in Essex). Is my understanding correct?

But while reading the openstack documentation for Keystone, I see a section on "SSL" http://docs.openstack.org/developer/keystone/configuration.html?highlight=ssl#ssl (http://docs.openstack.org/developer/k...) I followed the instructions of updating the keystone.conf with the entries specified and I restarted the keystone service but I don't see SSL enabled. I verified this by running the command "keystone --debug tenant-list". From the output of the command, I still see HTTP being used. Could you please tell me if I there are other steps to be followed to setup SSL on keystone? Could you point me to the complete instructions to setup SSL on keystone? Just updating the keystone.conf did not seem to work.

Thank you.

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
0

answered 2012-07-02 18:36:08 -0600

heckj gravatar image

The SSL components have not been installed directly in the python code as of Essex, but are in the Folsom-2 milestone. For wrapping keystone in SSL with the essex release, it's expected that you'll do arrange the SSL termination external to keystone itself - using Apache or Nginx as a reverse proxy, an F5 load balancer, or something similar.

The instructions should work correctly for the folsom-2 milestone (or current master)

edit flag offensive delete link more
0

answered 2012-07-02 19:11:19 -0600

george-john gravatar image

Joseph, thank you for your response. Our aim is to setup SSL on both Nova and Keystone API endpoints. As per your suggestion, in Essex release, the way to do this is to setup a reverse proxy on these API endpoints. I am just trying to understand... By settin g up the proxy, the communication from outside to these API endpoints will be secure but the internal communication between Nova and Keystone will still be over HTTP (and not HTTPS). Am I correct?

Thank you.

edit flag offensive delete link more
0

answered 2012-07-09 16:18:51 -0600

heckj gravatar image

George - typically the traffic encryption when using a reverse proxy setup is terminated at the reverse proxy device - wether that's an F5, or nginx+ssl, and the traffic between that device (or software component) and keystone (or nova) is unencrypted. The general pattern in many deployments is that the unencrypted traffic is getting run over a private network where snooping isn't a concern.

edit flag offensive delete link more
0

answered 2012-07-09 20:14:12 -0600

george-john gravatar image

Thank you Joseph for your response. I was able to get a apache reverse proxy setup working.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-06-26 13:37:14 -0600

Seen: 436 times

Last updated: Jul 09 '12