- OpenStack Cloud Computing Cookbook(Third Edition)
- Kevin Jackson Cody Bunch Egle Sigler
- 393字
- 2021-07-16 20:39:12
Configuring OpenStack Identity for SSL communication
One of the many updates to this book will be a more hardened all-around approach. To that end, we begin by enabling SSL communication for services with Keystone by default. It is important to note that we will be doing this via self-signed certificates to illustrate how to configure the services. It is strongly recommended that you acquire the appropriate certificates from a Certificate Authority (CA) for deployment in production.
Getting ready
Ensure that you are logged in to the controller node and that it has Internet access to allow us to install the required packages in our environment for running Keystone. If you created this node with Vagrant, you can execute the following command:
vagrant ssh controller
How to do it...
Carry out the following instructions to configure the Keystone service:
- Before we can configure Keystone to use SSL, we need to generate the required OpenSSL Certificates. To do so, log in to the server that is running Keystone and issue the following commands:
sudo apt-get install python-keystoneclient keystone-manage ssl_setup --keystone-user keystone \--keystone-group keystone
- Once our certificates are generated, we can use them when communicating with our Keystone service. We can refer to the generated CA file for our other services by placing this in an accessible place. To do so, issue the following commands:
sudo cp /etc/keystone/ssl/certs/ca.pem /etc/ssl/certs/ca.pem sudo c_rehash /etc/ssl/certs/ca.pem
- We also take the same CA and CA Key file to use on our client, so copy these where you will be running the relevant
python-*clienttools. In our Vagrant environment, we can copy this to our host as follows:sudo cp /etc/keystone/ssl/certs/ca.pem /vagrant/ca.pem sudo cp /etc/keystone/ssl/certs/cakey.pem /vagrant/cakey.pem
- We then need to edit the Keystone configuration file
/etc/keystone/keystone.confto include the following section:[ssl] enable = True certfile = /etc/keystone/ssl/certs/keystone.pem keyfile = /etc/keystone/ssl/private/keystonekey.pem ca_certs = /etc/keystone/ssl/certs/ca.pem cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.100.200 ca_key = /etc/keystone/ssl/certs/cakey.pem
- Finally, restart the Keystone service:
sudo stop keystone sudo start keystone
How it works...
The OpenStack services normally intercommunicate via standard HTTP requests. This provides a large degree of flexibility, but it comes at the cost of all communication happening in plain text. By adding SSL certificates and changing Keystone's configuration, all communication with Keystone will now be encrypted via HTTPS.
- DBA攻堅(jiān)指南:左手Oracle,右手MySQL
- Flutter開(kāi)發(fā)實(shí)戰(zhàn)詳解
- Practical UX Design
- Blockly創(chuàng)意趣味編程
- Learning Data Mining with R
- H5頁(yè)面設(shè)計(jì):Mugeda版(微課版)
- 高級(jí)語(yǔ)言程序設(shè)計(jì)(C語(yǔ)言版):基于計(jì)算思維能力培養(yǎng)
- D3.js 4.x Data Visualization(Third Edition)
- WordPress 4.0 Site Blueprints(Second Edition)
- C# Multithreaded and Parallel Programming
- C指針原理揭秘:基于底層實(shí)現(xiàn)機(jī)制
- SwiftUI極簡(jiǎn)開(kāi)發(fā)
- Android應(yīng)用開(kāi)發(fā)實(shí)戰(zhàn)(第2版)
- C++程序設(shè)計(jì)
- 數(shù)據(jù)科學(xué)中的實(shí)用統(tǒng)計(jì)學(xué)(第2版)