9.1. Enabling SSL protocol for Keystone - pon-prisma/OpenStack-Installation-Guide GitHub Wiki
Assumptions:
- keystone is installed on the controller node. Therefore, if not specified, package configurations, installation etc. refer to the controller node. Keystone service will be configured such that it runs as a WSGI application in Apache, in HTTPS configuration.
- in the present guide, the required certificate is located on the controller at
/etc/ssl/certs/hostcert.pem, the key at/etc/ssl/private/hostkey.pem, and the path where the CA certificates are stored is/etc/grid-security/certificates. In the following instructions, replace these filenames and paths with the ones corresponding to your setup.
In the following, replace $CONTROLLER_DNS_NAME with the dns name associated to the public IP of the controller node, and $CA_cert_path with the complete filename of the CA certificate.
Apache configuration
-
Enable ssl:
$ sudo a2enmod ssl -
Create the configuration file
/etc/apache2/sites-enabled/keystonewith the following content, replacing${APACHE_LOG_DIR}with the desired log directory name, and modifying the certificate paths inSSLCertificateFile,SSLCACertificateFile,SSLCertificateKeyFile,SSLCARevocationPathwhich have to match the certificate installation:Listen 5000 <VirtualHost _default_:5000> LogLevel warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/hostcert.pem SSLCertificateKeyFile /etc/ssl/private/hostkey.pem SSLCACertificatePath /etc/grid-security/certificates SSLCARevocationPath /etc/grid-security/certificates SSLVerifyClient optional SSLVerifyDepth 10 SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLOptions +StdEnvVars +ExportCertData WSGIDaemonProcess keystoneapi user=keystone group=nogroup processes=8 threads=1 WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main WSGIProcessGroup keystone </VirtualHost> Listen 35357 <VirtualHost _default_:35357> LogLevel warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/hostcert.pem SSLCertificateKeyFile /etc/ssl/private/hostkey.pem SSLCACertificatePath /etc/grid-security/certificates SSLCARevocationPath /etc/grid-security/certificates SSLVerifyClient optional SSLVerifyDepth 10 SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLOptions +StdEnvVars +ExportCertData WSGIDaemonProcess keystoneapi user=keystone group=nogroup processes=8 threads=1 WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin WSGIProcessGroup keystone </VirtualHost>
hostcert.pem and hostkey.pem files are the certificates needed to server authentication.
-
Create the directory
/usr/lib/cgi-bin/keystone/, and, either write a script/usr/lib/cgi-bin/keystone/keystone.pywith the following content, or download the corresponding file from github (for Icehouse, the file is at https://github.com/openstack/keystone/blob/stable/icehouse/httpd/keystone.py )# Copyright 2013 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import logging import os from paste import deploy from keystone.openstack.common import gettextutils # NOTE(dstanek): gettextutils.enable_lazy() must be called before # gettextutils._() is called to ensure it has the desired lazy lookup # behavior. This includes cases, like keystone.exceptions, where # gettextutils._() is called at import time. gettextutils.enable_lazy() from keystone.common import dependency from keystone.common import environment from keystone.common import sql from keystone import config from keystone.openstack.common import log from keystone import service CONF = config.CONF config.configure() sql.initialize() config.set_default_for_default_log_levels() CONF(project='keystone') config.setup_logging() environment.use_stdlib() name = os.path.basename(__file__) if CONF.debug: CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG) drivers = service.load_backends() # NOTE(ldbragst): 'application' is required in this context by WSGI spec. # The following is a reference to Python Paste Deploy documentation # http://pythonpaste.org/deploy/ application = deploy.loadapp('config:%s' % config.find_paste_config(), name=name) dependency.resolve_future_dependencies() -
Create the following links:
$ sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/main $ sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/admin -
Modify the file
/etc/apache2/envvars:export OPENSSL_ALLOW_PROXY_CERTS=1
Https configuration for Keystone
-
Modify the Keystone endpoint (specify https protocol, and use the hostname (
$CONTROLLER_DNS_NAME), rather than the IP, since it will also appear in the server certificate):# unset OS_USERNAME OS_AUTH_URL OS_TENANT_NAME OS_PASSWORD # export OS_SERVICE_TOKEN=$(cat /etc/keystone/keystone.conf | grep -E "^admin_token" | cut -d'=' -f2 | tr -d ' ' ) # keystone endpoint-delete $OLD_ENDPOINT_ID # keystone endpoint-create --service-id=$(keystone service-list | awk '/ identity / {print $2}’) --publicurl 'https://'"$CONTROLLER_DNS_NAME"':5000/v2.0' --adminurl 'https://'"$CONTROLLER_DNS_NAME"':35357/v2.0' --internalurl 'https://'"$CONTROLLER_DNS_NAME"':5000/v2.0' -
Stop Keystone, and restart Apache
# service keystone stop # service apache2 restart -
Disable keystone service by creating the ovverride file:
# echo "manual" > /etc/init/keystone.override -
Test & Verify. Set the environment variables (replace
$ADMIN_PASSwith the correct password):# unset OS_SERVICE_ENDPOINT # unset OS_SERVICE_TOKEN # export OS_USERNAME=admin # export OS_PASSWORD=$ADMIN_PASS # export OS_AUTH_URL=https://$CONTROLLER_DNS_NAME:5000/v2.0 # export OS_CACERT=$CA_cert_path
Try to run a keystone command, such as:
# keystone service-list
if the configuration has been correctly modified, the command will not return error.
Modify the configuration of all the active services in order to grant communication with Keystone with ssl protocol
Before starting, remember to copy the certificate on the compute nodes at the path $CA_cert_path.
Horizon
-
Modify the file
/etc/openstack-dashboard/local_settings.pywith the following settings:OPENSTACK_HOST = "$CONTROLLER_DNS_NAME" OPENSTACK_KEYSTONE_URL = "https://%s:5000/v2.0" % OPENSTACK_HOST OPENSTACK_SSL_NO_VERIFY = True
Nova on controller node and compute nodes:
-
Modify the file
/etc/nova/nova.confas follows:[DEFAULT] ... neutron_ca_certificates_file = $CA_cert_path neutron_admin_auth_url=https://$CONTROLLER_DNS_NAME:35357/v2.0 .... [keystone_authtoken] ... auth_protocol = https auth_uri = https://$CONTROLLER_DNS_NAME:5000/v2.0 cafile = $CA_cert_path signing_dir = /var/lib/nova/keystone-signing ....
Glance
-
Modify
/etc/glance/glance-api.confand/etc/glance/glance-registry.conffiles:[keystone_authtoken] ... auth_uri = https://$CONTROLLER_DNS_NAME:5000/v2.0 auth_protocol = https cafile = $CA_cert_path signing_dir = /var/lib/glance/keystone-signing ...
Cinder
-
Modify the file
/etc/cinder/cinder.conf:[keystone_authtoken] ... service_protocol = https service_host = $CONTROLLER_DNS_NAME ... auth_host = $CONTROLLER_DNS_NAME auth_port = 35357 auth_protocol = https cafile = $CA_cert_path signing_dir = /var/lib/cinder/keystone-signing ...
Swift
-
On the swift server, modify the file
proxy-server.conf:[keystone_authtoken] ... auth_protocol = https auth_host = $CONTROLLER_DNS_NAME auth_port = 35357 cafile = $CA_cert_path ...
Neutron
On the network node:
-
Modify the file
/etc/neutron/neutron.conf:[DEFAULT] ... nova_admin_auth_url = https://$CONTROLLER_DNS_NAME:35357/v2.0 nova_ca_certificates_file = $CA_cert_path ... [keystone_authtoken] .... auth_uri = https://$CONTROLLER_DNS_NAME:5000 auth_protocol = https cafile = $CA_cert_path signing_dir = /var/lib/neutron/keystone-signing -
Apply the patch https://git.openstack.org/cgit/openstack/neutron/commit/?id=b22bc5d4356d118be35d4ab9bf2294cea090c82b:
-
Modify file
/usr/share/pyshared/neutron/common/config.py99 cfg.StrOpt('nova_admin_auth_url', 100 default='http://localhost:5000/v2.0', 101 help=_('Authorization URL for connecting to nova in admin ' 102 'context')), 103 cfg.StrOpt('nova_ca_certificates_file', 104 default=None, 105 help=_('CA file for novaclient to verify server certificates')),
where lines 103-105 have been added to the original file.
-
Modify file
/usr/share/pyshared/neutron/notifiers/nova.pyas follows:49 tenant_id=cfg.CONF.nova_admin_tenant_id, 50 auth_url=cfg.CONF.nova_admin_auth_url, 51 cacert=cfg.CONF.nova_ca_certificates_file, 52 bypass_url=bypass_url, 53 region_name=cfg.CONF.nova_region_name,
where line 51 has been added to the original file.
-
Modify the file
/etc/neutron/metadata_agent.ini:[DEFAULT] ... auth_url = https://$CONTROLLER_DNS_NAME:35357/v2.0 cafile = $CA_cert_path ...
On the compute nodes:
-
Modify the file
/etc/neutron/neutron.conf:[keystone_authtoken] ... auth_uri = https://$CONTROLLER_DNS_NAME:5000/v2.0 auth_protocol = https cafile = $CA_cert_path signing_dir = /var/lib/neutron/keystone-signing ...
Heat
-
Modify the file
/etc/heat/heat.conf:.. [ec2authtoken] auth_uri = https://$CONTROLLER_DNS_NAME:5000/v2.0 .. [keystone_authtoken] ... auth_uri = https://$CONTROLLER_DNS_NAME:5000/v2.0 auth_protocol = https cafile = $CA_cert_path signing_dir = /var/lib/heat/keystone-signing
Restart
Restart all the services whose configuration files have been modified.