Ask Your Question
2

How to setup Keystone with Https

asked 2014-07-21 05:51:27 -0500

Beny gravatar image

updated 2014-07-30 14:18:06 -0500

smaffulli gravatar image

Please let me know if anyone have document to enable https for keystone and the other services which needs to communicate with keystone service.

I have already used the below, but having issues with meta data. https://github.com/kjtanaka/deploy_ha...

I had issues with the launching instances unable to connect to the metadata agent. i.e http://169.254.169.254/latest/instanc.. . is not accessible. also the keypairs are not getting invoked inside the new instance.

This is error that i'm getting in the log

 2014-07-28 07:10:12,335 - util.py[WARNING]: 'http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [4/120s]: http error [500]
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
2

answered 2014-07-21 07:00:55 -0500

updated 2014-07-29 10:18:59 -0500

That document should work. Can you please explain what do you mean by having issues with meta data? The steps involved are

   1)  Configure cert location
   2)  Change identity endpoints to https from http
   3)  Configure other services to use https endpoints.

Which step do you have problem?  If you are planning to start keystone under Apache ( which is recommended ) then step 1) is bit different.
  In case of Apache, you don't need to configure SSL section of keystone.conf. Instead it should be added  to the  wsgi script.
You need to add  the following is the wsgi conf used by devstack. 

     SSLEngine on
     SSLVerifyDepth 1  // 1 is good for self signed cert. For proper cert, this will be more than 1 depending on intermediate CA
    SSLCertificateFile   < path to the cert file>
    SSLCertificateKeyFile <path to="" key="" file="">
    SSLCACertificateFile <path to="" ca="" file="">

Given below is the file used by devstack with appropriate ssl settings

Listen %PUBLICPORT%
Listen %ADMINPORT%

<virtualhost *:%publicport%="">
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=%USER%
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / %PUBLICWSGI%
    WSGIApplicationGroup %{GLOBAL}

    SSLEngine on 
    SSLVerifyDepth 1
    SSLCertificateFile  /etc/keystone/ssl/certs/keystone.pem
    SSLCertificateKeyFile   /etc/keystone/ssl/private/keystonekey.pem

    SSLCACertificateFile  /etc/keystone/ssl/certs/ca.pem

    ErrorLog /var/log/%APACHE_NAME%/keystone


    LogLevel debug
    CustomLog /var/log/%APACHE_NAME%/access.log combined
</virtualhost>

<virtualhost *:%adminport%="">
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=%USER%
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / %ADMINWSGI%
    WSGIApplicationGroup %{GLOBAL}

     SSLEngine on 
    SSLVerifyDepth 1
    SSLCertificateFile  /etc/keystone/ssl/certs/keystone.pem
    SSLCertificateKeyFile   /etc/keystone/ssl/private/keystonekey.pem

    SSLCACertificateFile  /etc/keystone/ssl/certs/ca.pem

    ErrorLog /var/log/%APACHE_NAME%/keystone
    LogLevel debug
    CustomLog /var/log/%APACHE_NAME%/access.log combined
</virtualhost>

# Workaround for missing path on RHEL6, see
# https://bugzilla.redhat.com/show_bug.cgi?id=1121019
WSGISocketPrefix /var/run/%APACHE_NAME%
edit flag offensive delete link more

Comments

This is error that i'm getting in the log

2014-07-28 07:10:12,335 - util.py[WARNING]: 'http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [4/120s]: http error [500]

Beny gravatar imageBeny ( 2014-07-28 02:12:34 -0500 )edit
0

answered 2014-07-30 00:34:20 -0500

Beny gravatar image

Hi Haneef,

I have fixed the problem temporarily. The version of neutron didn't have syntax for insecure = True in the configuration files and that created the metadata problem. Even though i add auth_insecure = True in the metadata_agent.ini file it is not providing any changes in the log. But it was available in the document, that it should work.

Finally, i have added the insecure = true directly in the /usr/lib/python2.7/dist-packages/neutronclient/client.py file.

And then it started working for me. I guess the problem was with my version of Havana. Hope it won't be the scenario with Icehouse. Gonna test it!!

Thanks for your help!!!

-Beny

edit flag offensive delete link more
0

answered 2014-07-31 02:05:17 -0500

Jakub gravatar image

I think that best solution is leave it as http and put between API and users NGINX. We spent some time with securing API and this seems to be best solution, but you need to translate output of keystone endpoint-list.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-07-21 05:51:27 -0500

Seen: 2,504 times

Last updated: Jul 31 '14