Ask Your Question
0

keystone, cert_required and nova

asked 2014-05-08 09:41:20 -0500

dulek gravatar image

I'm trying to configure Keystone in my OpenStack setup to use SSL. I'm currently playing with cert_required flag in keystone.conf:

[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_required = True

Unfortunately if it's set to True I'm unable to connect to nova using it's CLI client:

SSLError: [Errno 1] _ssl.c:504: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

In keystone CLI client I can specify --os-key and --os-cert options to do a proper SSL handshake and then it works. These options are missing in nova CLI client. How can I use cert_required option with nova? Maybe the option is prepared to be used in other scenarios?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
2

answered 2014-05-08 12:26:01 -0500

Haneef Ali gravatar image

updated 2014-05-27 10:38:14 -0500

cert_required is for 2 way ssl. Do you really want to use 2 way ssl? Also you using signing certs for ssl setup?. They are meant for PKI tokens. If you use keystone-manage to generate self signed certs for ssl, it will generate differnt cert for ssl.

To answer your question, don't use cert_required as it is for 2 way ssl and I don't think any openstack service client supports it. I also don't think keystone implements 2 way ssl feature correctly.

This is how normally client certs will be implemented. Don't expect any of these feature in OS services 

Normally  the parameter will have 3 options . 
cert_required = no           // Server doesn't expect client cert
cert_required = optional   // If the client sends cert, then the server will use it
cert_required = yes   //  Cert is mandatory and the client has to send it

How  can you use client cert  in OS services?
   Now all openstack services such as nova/swfit use service account to validate the token. Instead of service account, each service can be given a client cert and they can use client cert to validate the token.
edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2014-05-08 09:41:20 -0500

Seen: 679 times

Last updated: May 27 '14

Related questions

Compute(nova) endpoint not listening

cinder list error

Not getting Keystone token via http but am getting it thru keystone client

keystone Failed to start the admin server

Nova compute.instance.create Notification

ip: SIOCGIFFLAGS: No such device

Changing a volume bus type

Openstack + Opendaylight + Mininet

unable to establish connection to http://controller:35357/v2.0

use of [oauth1] section in keystone.conf ?