Ask Your Question
0

Can I authenticate using X.509 client certificates?

asked 2012-05-31 12:44:08 -0500

Hi there,

we have a use case where users have X.509 client certificates. The current draft of the Identity API v3 [1] states "The 'just a token' has been the starting requirement, and with PKI coming online, it provides a resource path for the tokens independent of linkages to anything else."

How would I set this up and can it be done with any version of Keystone that is available today? I am currently running stable/essex from a devstack installation. I do know how to setup WSGI services in an Apache2 [2], such that the real "authentication" (the user proving that he has the private data beloging to the certificate) leads to an X.509 DN which should be mapped to a Keystone user. Can this DN be considered the "token"? I guess for a direct mapping the tenant for one user would have to be fixed, but this seems to be a limitation of other already documented credential mechanisms as well. I think one could even add a header to the HTTP(S) request to pass in the Tenant in addition to the user credential.

Best regards, Björn

[1] https://docs.google.com/document/d/1s9C4EMxIZ55kZr62CKEC9ip7He_Q4_g1KRfSk9hY-Sg/edit#heading=h.exf8l44oq5hr (https://docs.google.com/document/d/1s...) [2] http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/ (http://www.rackspace.com/blog/enablin...)

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted
0

answered 2012-06-05 06:59:33 -0500

Thanks a lot for the answer. I do have another one regarding XACML, but that will be another post.

Björn

edit flag offensive delete link more
0

answered 2012-05-31 12:58:24 -0500

I just now saw the pki blueprint at https://blueprints.launchpad.net/keystone/+spec/pki (https://blueprints.launchpad.net/keys...)

so it looks as though something is in the queue.

edit flag offensive delete link more
0

answered 2012-06-04 16:06:54 -0500

heckj gravatar image

It is something in the queue - and isn't implemented today. The V3 API draft was published all of a week ago, and the PKI functionality in rough implementation is in process now (per the blueprint you cited)

-joe

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-05-31 12:44:08 -0500

Seen: 24 times

Last updated: Jun 05 '12