Book Image

OpenStack Cloud Computing Cookbook

By : Egle Sigler, Kevin Jackson, Cody Bunch
Book Image

OpenStack Cloud Computing Cookbook

By: Egle Sigler, Kevin Jackson, Cody Bunch

Overview of this book

Table of Contents (19 chapters)
OpenStack Cloud Computing Cookbook Third Edition
Credits
Foreword
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Index

Configuring OpenStack Identity for SSL communication


One of the many updates to this book will be a more hardened all-around approach. To that end, we begin by enabling SSL communication for services with Keystone by default. It is important to note that we will be doing this via self-signed certificates to illustrate how to configure the services. It is strongly recommended that you acquire the appropriate certificates from a Certificate Authority (CA) for deployment in production.

Getting ready

Ensure that you are logged in to the controller node and that it has Internet access to allow us to install the required packages in our environment for running Keystone. If you created this node with Vagrant, you can execute the following command:

vagrant ssh controller

How to do it...

Carry out the following instructions to configure the Keystone service:

  1. Before we can configure Keystone to use SSL, we need to generate the required OpenSSL Certificates. To do so, log in to the server that is running Keystone and issue the following commands:

    sudo apt-get install python-keystoneclient
    keystone-manage ssl_setup --keystone-user keystone \--keystone-group keystone
    

    Tip

    The command keystone-manage ssl_setup is not intended for production use. This is a convenient tool for creating self-signed certificates for Keystone.

  2. Once our certificates are generated, we can use them when communicating with our Keystone service. We can refer to the generated CA file for our other services by placing this in an accessible place. To do so, issue the following commands:

    sudo cp /etc/keystone/ssl/certs/ca.pem /etc/ssl/certs/ca.pem
    sudo c_rehash /etc/ssl/certs/ca.pem
    
  3. We also take the same CA and CA Key file to use on our client, so copy these where you will be running the relevant python-*client tools. In our Vagrant environment, we can copy this to our host as follows:

    sudo cp /etc/keystone/ssl/certs/ca.pem /vagrant/ca.pem
    sudo cp /etc/keystone/ssl/certs/cakey.pem /vagrant/cakey.pem
    
  4. We then need to edit the Keystone configuration file /etc/keystone/keystone.conf to include the following section:

    [ssl]
    enable = True
    certfile = /etc/keystone/ssl/certs/keystone.pem
    keyfile = /etc/keystone/ssl/private/keystonekey.pem
    ca_certs = /etc/keystone/ssl/certs/ca.pem
    cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.100.200
    ca_key = /etc/keystone/ssl/certs/cakey.pem
  5. Finally, restart the Keystone service:

    sudo stop keystone
    sudo start keystone
    

How it works...

The OpenStack services normally intercommunicate via standard HTTP requests. This provides a large degree of flexibility, but it comes at the cost of all communication happening in plain text. By adding SSL certificates and changing Keystone's configuration, all communication with Keystone will now be encrypted via HTTPS.