- OpenStack Cloud Computing Cookbook(Third Edition)
- Kevin Jackson Cody Bunch Egle Sigler
- 393字
- 2021-07-16 20:39:12
Configuring OpenStack Identity for SSL communication
One of the many updates to this book will be a more hardened all-around approach. To that end, we begin by enabling SSL communication for services with Keystone by default. It is important to note that we will be doing this via self-signed certificates to illustrate how to configure the services. It is strongly recommended that you acquire the appropriate certificates from a Certificate Authority (CA) for deployment in production.
Getting ready
Ensure that you are logged in to the controller node and that it has Internet access to allow us to install the required packages in our environment for running Keystone. If you created this node with Vagrant, you can execute the following command:
vagrant ssh controller
How to do it...
Carry out the following instructions to configure the Keystone service:
- Before we can configure Keystone to use SSL, we need to generate the required OpenSSL Certificates. To do so, log in to the server that is running Keystone and issue the following commands:
sudo apt-get install python-keystoneclient keystone-manage ssl_setup --keystone-user keystone \--keystone-group keystone
- Once our certificates are generated, we can use them when communicating with our Keystone service. We can refer to the generated CA file for our other services by placing this in an accessible place. To do so, issue the following commands:
sudo cp /etc/keystone/ssl/certs/ca.pem /etc/ssl/certs/ca.pem sudo c_rehash /etc/ssl/certs/ca.pem
- We also take the same CA and CA Key file to use on our client, so copy these where you will be running the relevant
python-*clienttools. In our Vagrant environment, we can copy this to our host as follows:sudo cp /etc/keystone/ssl/certs/ca.pem /vagrant/ca.pem sudo cp /etc/keystone/ssl/certs/cakey.pem /vagrant/cakey.pem
- We then need to edit the Keystone configuration file
/etc/keystone/keystone.confto include the following section:[ssl] enable = True certfile = /etc/keystone/ssl/certs/keystone.pem keyfile = /etc/keystone/ssl/private/keystonekey.pem ca_certs = /etc/keystone/ssl/certs/ca.pem cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.100.200 ca_key = /etc/keystone/ssl/certs/cakey.pem
- Finally, restart the Keystone service:
sudo stop keystone sudo start keystone
How it works...
The OpenStack services normally intercommunicate via standard HTTP requests. This provides a large degree of flexibility, but it comes at the cost of all communication happening in plain text. By adding SSL certificates and changing Keystone's configuration, all communication with Keystone will now be encrypted via HTTPS.
- Android Wearable Programming
- 企業級Java EE架構設計精深實踐
- 21天學通C++(第6版)
- C語言程序設計案例式教程
- JavaScript+Vue+React全程實例
- Hands-On Enterprise Automation with Python.
- 數據結構習題解析與實驗指導
- Python數據結構與算法(視頻教學版)
- Android應用案例開發大全(第二版)
- OpenCV 4計算機視覺項目實戰(原書第2版)
- Learning AngularJS for .NET Developers
- Java7程序設計入門經典
- 嵌入式Linux C語言程序設計基礎教程
- 從零開始學UI:概念解析、實戰提高、突破規則
- Mastering Leap Motion