Ask Your Question

Is it possible to add SSL to keystone API ?

asked 2014-07-24 06:05:59 -0500

Vinoth gravatar image

Hi, Is it possible to add SSL to keystone API, So that I can access keystone using RESTapi in https and all other service in http?

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2014-07-29 23:53:34 -0500

Vinoth gravatar image

It seems there is no code respective to insecure parameter in havana. So we added few lines in /usr/lib/python2.7/dist-packages/neutronclient/ for enabling insecure = true by default. Now evrything is working fine.

edit flag offensive delete link more

answered 2014-07-24 06:39:09 -0500

updated 2014-07-24 11:05:04 -0500

Yes, If you do a simple google search or search in this forum you can find lot more answers.

Update 1: What is not working command line commands, or the service operation?

You need to add OS_CACERT or insecure to make it work. First try insecure, if that work then you can use proper CACERT. Invoke all command like clients with --insecure option

Also in all the services conf file under keystone_authtoken section you need to make sure if you specify cafile, it should point to proper location

edit flag offensive delete link more


Thanks for your responce, I followed this link. I added those configrations in keystone.conf file & changed the keystone endpoint to https and also updated auth_url to https in all service configuration files. Now glance image-list & nova image-list working fine but nova list & neutron comands are not working. is anyother files to be change ?

Vinoth gravatar imageVinoth ( 2014-07-24 08:20:01 -0500 )edit

Thanks for your update, I added CA_FILE in all configuration files. I have controller & neutron node is same machine and compute node in seprate host. So whenever I used commands to comunicate with neutron like neutron net-list & nova list, it fails and shows Unauthorized: Unknown auth strategy

Vinoth gravatar imageVinoth ( 2014-07-25 01:51:10 -0500 )edit

Can you copy paste kesytone_authtoken section of nova.conf or neutron.conf?

Haneef Ali gravatar imageHaneef Ali ( 2014-07-27 19:21:10 -0500 )edit

[keystone_authtoken] auth_host = auth_port = 35357 auth_protocol = https admin_tenant_name = service admin_user = neutron admin_password = neutron insecure = True auth_uri =

Vinoth gravatar imageVinoth ( 2014-07-29 02:44:28 -0500 )edit

Just check is there any auth_strategy option in your config file. Most of the services use auth_strategry=keystone

Haneef Ali gravatar imageHaneef Ali ( 2014-07-29 10:53:22 -0500 )edit

answered 2015-05-19 08:37:06 -0500

deeghuge gravatar image

Yes, It is very well possible. You need to do following configuration to make it happen

1. Enable ssl for keystone. Get the required ssl certificates. Update the [ssl] or [eventlet_server_ssl] based on your keystone version.
2. Create the keystone endpoint with https
3. Create the endpoint of other services as usual(http)
4. Update the auth section of service with keystone details. Make sure to auth_uri is https.

Following worked for me when I was configuring swift with keystone(ssl)

        admin_tenant_name = service
        admin_user = swift
        admin_password = Passw0rd
        auth_host = keystonehost
        auth_port = 35357
        auth_protocol = https
        auth_uri = https://keystonehost:35357/v3
        cafile = /etc/keystone/ssl/certs/ssl_cacert.pem
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-07-24 06:05:59 -0500

Seen: 1,332 times

Last updated: May 19 '15