Ask Your Question
2

How to add more Keystone instances and deal with PKI infrastructure?

asked 2013-10-22 02:30:49 -0500

Bart van den Heuvel gravatar image

updated 2013-10-25 16:50:13 -0500

smaffulli gravatar image

How do people go about installing additional keystone nodes when it comes to the PKI infrastructure. Do you run keystone-manage pki_setup on each node (also the additional nodes). Or is there some of the SSL infrastructure to re-use?

Running 'keystone-manage pki_setup' on each node seems to work. Is there a better way to do it? Is there any documentation?

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-04-06 08:11:14 -0500

eternaltyro gravatar image

updated 2015-04-06 08:35:19 -0500

You'll need to copy over the certificates and manually install them in the right location. Then edit the keystone.conf file in the additional nodes to point it to the right cert and key. 

# Path of the certfile for token signing. (string value)
certfile=/etc/keystone/ssl/certs/signing_cert.pem

# Path of the keyfile for token signing. (string value)
keyfile=/etc/keystone/ssl/private/signing_key.pem

# Path of the CA for token signing. (string value)
ca_certs=/etc/keystone/ssl/certs/ca.pem

# Path of the CA Key for token signing. (string value)
ca_key=/etc/keystone/ssl/private/cakey.pem

# Key Size (in bits) for token signing cert (auto generated
# certificate). (integer value)
key_size=2048

Btw, pki_setup is just for evaluational purposes. In the real world, you'll use a proper TLS cert from a CA or after September 2015, https://letsencrypt.org

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-10-22 02:30:49 -0500

Seen: 342 times

Last updated: Apr 06 '15

Related questions

keystone, cert_required and nova

keystone ssl error

keystone-admin-vip/1: SSL handshake failure

keystone and saml, shibboleth

after installing docker, NetworkError: Unable to communicate with keystone

DomainNotFound: Could not find domain: default

Import Error : No module named mysql

Failed to discover available identity versions when contacting http://127.0.0.1:35357/v3. Attempting to parse version from URL. Unable to establish connection to http://127.0.0.1:35357/v3/auth/tokens:

Unable to login into Horizon via Dashboard

How to enable glance cache manage middleware in Grizzly?