- OpenStack Cloud Computing Cookbook(Third Edition)
- Kevin Jackson Cody Bunch Egle Sigler
- 393字
- 2021-07-16 20:39:12
Configuring OpenStack Identity for SSL communication
One of the many updates to this book will be a more hardened all-around approach. To that end, we begin by enabling SSL communication for services with Keystone by default. It is important to note that we will be doing this via self-signed certificates to illustrate how to configure the services. It is strongly recommended that you acquire the appropriate certificates from a Certificate Authority (CA) for deployment in production.
Getting ready
Ensure that you are logged in to the controller node and that it has Internet access to allow us to install the required packages in our environment for running Keystone. If you created this node with Vagrant, you can execute the following command:
vagrant ssh controller
How to do it...
Carry out the following instructions to configure the Keystone service:
- Before we can configure Keystone to use SSL, we need to generate the required OpenSSL Certificates. To do so, log in to the server that is running Keystone and issue the following commands:
sudo apt-get install python-keystoneclient keystone-manage ssl_setup --keystone-user keystone \--keystone-group keystone
- Once our certificates are generated, we can use them when communicating with our Keystone service. We can refer to the generated CA file for our other services by placing this in an accessible place. To do so, issue the following commands:
sudo cp /etc/keystone/ssl/certs/ca.pem /etc/ssl/certs/ca.pem sudo c_rehash /etc/ssl/certs/ca.pem
- We also take the same CA and CA Key file to use on our client, so copy these where you will be running the relevant
python-*clienttools. In our Vagrant environment, we can copy this to our host as follows:sudo cp /etc/keystone/ssl/certs/ca.pem /vagrant/ca.pem sudo cp /etc/keystone/ssl/certs/cakey.pem /vagrant/cakey.pem
- We then need to edit the Keystone configuration file
/etc/keystone/keystone.confto include the following section:[ssl] enable = True certfile = /etc/keystone/ssl/certs/keystone.pem keyfile = /etc/keystone/ssl/private/keystonekey.pem ca_certs = /etc/keystone/ssl/certs/ca.pem cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.100.200 ca_key = /etc/keystone/ssl/certs/cakey.pem
- Finally, restart the Keystone service:
sudo stop keystone sudo start keystone
How it works...
The OpenStack services normally intercommunicate via standard HTTP requests. This provides a large degree of flexibility, but it comes at the cost of all communication happening in plain text. By adding SSL certificates and changing Keystone's configuration, all communication with Keystone will now be encrypted via HTTPS.
- LabVIEW 2018 虛擬儀器程序設計
- DevOps for Networking
- Apache Spark 2 for Beginners
- 薛定宇教授大講堂(卷Ⅳ):MATLAB最優化計算
- Kinect for Windows SDK Programming Guide
- Instant RubyMotion App Development
- Corona SDK Mobile Game Development:Beginner's Guide(Second Edition)
- 精通Python自動化編程
- 區塊鏈項目開發指南
- Oracle數據庫編程經典300例
- Laravel Application Development Blueprints
- PHP與MySQL權威指南
- JQuery風暴:完美用戶體驗
- 軟件工程與UML案例解析(第三版)
- C語言程序設計教程