Ask Your Question
0

keystone, cert_required and nova

asked 2014-05-08 09:41:20 -0600

dulek gravatar image

I'm trying to configure Keystone in my OpenStack setup to use SSL. I'm currently playing with cert_required flag in keystone.conf:

[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_required = True

Unfortunately if it's set to True I'm unable to connect to nova using it's CLI client:

SSLError: [Errno 1] _ssl.c:504: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

In keystone CLI client I can specify --os-key and --os-cert options to do a proper SSL handshake and then it works. These options are missing in nova CLI client. How can I use cert_required option with nova? Maybe the option is prepared to be used in other scenarios?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
2

answered 2014-05-08 12:26:01 -0600

Haneef Ali gravatar image

updated 2014-05-27 10:38:14 -0600

cert_required is for 2 way ssl. Do you really want to use 2 way ssl? Also you using signing certs for ssl setup?. They are meant for PKI tokens. If you use keystone-manage to generate self signed certs for ssl, it will generate differnt cert for ssl.

To answer your question, don't use cert_required as it is for 2 way ssl and I don't think any openstack service client supports it. I also don't think keystone implements 2 way ssl feature correctly.

This is how normally client certs will be implemented. Don't expect any of these feature in OS services 

Normally  the parameter will have 3 options . 
cert_required = no           // Server doesn't expect client cert
cert_required = optional   // If the client sends cert, then the server will use it
cert_required = yes   //  Cert is mandatory and the client has to send it

How  can you use client cert  in OS services?
   Now all openstack services such as nova/swfit use service account to validate the token. Instead of service account, each service can be given a client cert and they can use client cert to validate the token.
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2014-05-08 09:41:20 -0600

Seen: 636 times

Last updated: May 27 '14

Related questions

How to create an instance for a tenant via admin?

Prevent other users to delete my VMs

keystone auth failure (is what it seems)

assign static IP address to VM

How to use multiple ldap url in keystone.conf for HA

keystone via httpd and remote_user

how keystone using gunicorn

could not telnet to keystone port from another machine

nova list Status ERROR [closed]

Keystone connection establishment error