Is it possible to add SSL to keystone API ?
Hi, Is it possible to add SSL to keystone API, So that I can access keystone using RESTapi in https and all other service in http?
First time here? Check out the FAQ!
Hi, Is it possible to add SSL to keystone API, So that I can access keystone using RESTapi in https and all other service in http?
It seems there is no code respective to insecure parameter in havana. So we added few lines in /usr/lib/python2.7/dist-packages/neutronclient/client.py for enabling insecure = true by default. Now evrything is working fine.
Yes, If you do a simple google search or search in this forum you can find lot more answers.
http://docs.openstack.org/havana/conf...
Update 1: What is not working command line commands, or the service operation?
You need to add OS_CACERT or insecure to make it work. First try insecure, if that work then you can use proper CACERT. Invoke all command like clients with --insecure option
Also in all the services conf file under keystone_authtoken section you need to make sure if you specify cafile, it should point to proper location
Thanks for your responce, I followed this link. I added those configrations in keystone.conf file & changed the keystone endpoint to https and also updated auth_url to https in all service configuration files. Now glance image-list & nova image-list working fine but nova list & neutron comands are not working. is anyother files to be change ?
Thanks for your update, I added CA_FILE in all configuration files. I have controller & neutron node is same machine and compute node in seprate host. So whenever I used commands to comunicate with neutron like neutron net-list & nova list, it fails and shows Unauthorized: Unknown auth strategy
Can you copy paste kesytone_authtoken section of nova.conf or neutron.conf?
[keystone_authtoken] auth_host = openstack.cloud.com auth_port = 35357 auth_protocol = https admin_tenant_name = service admin_user = neutron admin_password = neutron insecure = True auth_uri = https://openstack.cloud.com:35357
Just check is there any auth_strategy option in your config file. Most of the services use auth_strategry=keystone
Yes, It is very well possible. You need to do following configuration to make it happen
1. Enable ssl for keystone. Get the required ssl certificates. Update the [ssl] or [eventlet_server_ssl] based on your keystone version.
2. Create the keystone endpoint with https
3. Create the endpoint of other services as usual(http)
4. Update the auth section of service with keystone details. Make sure to auth_uri is https.
Following worked for me when I was configuring swift with keystone(ssl)
[filter:authtoken]
admin_tenant_name = service
admin_user = swift
admin_password = Passw0rd
auth_host = keystonehost
auth_port = 35357
auth_protocol = https
auth_uri = https://keystonehost:35357/v3
cafile = /etc/keystone/ssl/certs/ssl_cacert.pem
Asked: 2014-07-24 06:05:59 -0500
Seen: 1,332 times
Last updated: May 19 '15