Is it possible to add SSL to keystone API ?

asked 2014-07-24 06:05:59 -0500

1272 ●55 ●73 ●88 https://www.hellovinot...

Hi, Is it possible to add SSL to keystone API, So that I can access keystone using RESTapi in https and all other service in http?

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted

0

answered 2014-07-29 23:53:34 -0500

1272 ●55 ●73 ●88 https://www.hellovinot...

It seems there is no code respective to insecure parameter in havana. So we added few lines in /usr/lib/python2.7/dist-packages/neutronclient/client.py for enabling insecure = true by default. Now evrything is working fine.

edit flag offensive delete link

1

answered 2014-07-24 06:39:09 -0500

flag of United States of America

2476 ●10 ●32 http://www.hp.com/

updated 2014-07-24 11:05:04 -0500

Yes, If you do a simple google search or search in this forum you can find lot more answers.

http://docs.openstack.org/havana/conf...

Update 1: What is not working command line commands, or the service operation?

You need to add OS_CACERT or insecure to make it work. First try insecure, if that work then you can use proper CACERT. Invoke all command like clients with --insecure option

Also in all the services conf file under keystone_authtoken section you need to make sure if you specify cafile, it should point to proper location

edit flag offensive delete link

Comments

Thanks for your responce, I followed this link. I added those configrations in keystone.conf file & changed the keystone endpoint to https and also updated auth_url to https in all service configuration files. Now glance image-list & nova image-list working fine but nova list & neutron comands are not working. is anyother files to be change ?

Vinoth ( 2014-07-24 08:20:01 -0500 )edit

Thanks for your update, I added CA_FILE in all configuration files. I have controller & neutron node is same machine and compute node in seprate host. So whenever I used commands to comunicate with neutron like neutron net-list & nova list, it fails and shows Unauthorized: Unknown auth strategy

Vinoth ( 2014-07-25 01:51:10 -0500 )edit

Can you copy paste kesytone_authtoken section of nova.conf or neutron.conf?

Haneef Ali ( 2014-07-27 19:21:10 -0500 )edit

[keystone_authtoken] auth_host = openstack.cloud.com auth_port = 35357 auth_protocol = https admin_tenant_name = service admin_user = neutron admin_password = neutron insecure = True auth_uri = https://openstack.cloud.com:35357

Vinoth ( 2014-07-29 02:44:28 -0500 )edit

Just check is there any auth_strategy option in your config file. Most of the services use auth_strategry=keystone

Haneef Ali ( 2014-07-29 10:53:22 -0500 )edit

see more comments

0

answered 2015-05-19 08:37:06 -0500

deeghuge
158 ●20 ●24 ●36

Yes, It is very well possible. You need to do following configuration to make it happen

1. Enable ssl for keystone. Get the required ssl certificates. Update the [ssl] or [eventlet_server_ssl] based on your keystone version.
2. Create the keystone endpoint with https
3. Create the endpoint of other services as usual(http)
4. Update the auth section of service with keystone details. Make sure to auth_uri is https.

Following worked for me when I was configuring swift with keystone(ssl)

 [filter:authtoken]
        admin_tenant_name = service
        admin_user = swift
        admin_password = Passw0rd
        auth_host = keystonehost
        auth_port = 35357
        auth_protocol = https
        auth_uri = https://keystonehost:35357/v3
        cafile = /etc/keystone/ssl/certs/ssl_cacert.pem

edit flag offensive delete link

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-07-24 06:05:59 -0500

Seen: 1,277 times

Last updated: May 19 '15

Related questions