- OpenStack Cloud Computing Cookbook(Third Edition)
- Kevin Jackson Cody Bunch Egle Sigler
- 393字
- 2021-07-16 20:39:12
Configuring OpenStack Identity for SSL communication
One of the many updates to this book will be a more hardened all-around approach. To that end, we begin by enabling SSL communication for services with Keystone by default. It is important to note that we will be doing this via self-signed certificates to illustrate how to configure the services. It is strongly recommended that you acquire the appropriate certificates from a Certificate Authority (CA) for deployment in production.
Getting ready
Ensure that you are logged in to the controller node and that it has Internet access to allow us to install the required packages in our environment for running Keystone. If you created this node with Vagrant, you can execute the following command:
vagrant ssh controller
How to do it...
Carry out the following instructions to configure the Keystone service:
- Before we can configure Keystone to use SSL, we need to generate the required OpenSSL Certificates. To do so, log in to the server that is running Keystone and issue the following commands:
sudo apt-get install python-keystoneclient keystone-manage ssl_setup --keystone-user keystone \--keystone-group keystone
- Once our certificates are generated, we can use them when communicating with our Keystone service. We can refer to the generated CA file for our other services by placing this in an accessible place. To do so, issue the following commands:
sudo cp /etc/keystone/ssl/certs/ca.pem /etc/ssl/certs/ca.pem sudo c_rehash /etc/ssl/certs/ca.pem
- We also take the same CA and CA Key file to use on our client, so copy these where you will be running the relevant
python-*clienttools. In our Vagrant environment, we can copy this to our host as follows:sudo cp /etc/keystone/ssl/certs/ca.pem /vagrant/ca.pem sudo cp /etc/keystone/ssl/certs/cakey.pem /vagrant/cakey.pem
- We then need to edit the Keystone configuration file
/etc/keystone/keystone.confto include the following section:[ssl] enable = True certfile = /etc/keystone/ssl/certs/keystone.pem keyfile = /etc/keystone/ssl/private/keystonekey.pem ca_certs = /etc/keystone/ssl/certs/ca.pem cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.100.200 ca_key = /etc/keystone/ssl/certs/cakey.pem
- Finally, restart the Keystone service:
sudo stop keystone sudo start keystone
How it works...
The OpenStack services normally intercommunicate via standard HTTP requests. This provides a large degree of flexibility, but it comes at the cost of all communication happening in plain text. By adding SSL certificates and changing Keystone's configuration, all communication with Keystone will now be encrypted via HTTPS.
- 微服務設計(第2版)
- HornetQ Messaging Developer’s Guide
- Android Wearable Programming
- Raspberry Pi for Python Programmers Cookbook(Second Edition)
- .NET之美:.NET關鍵技術深入解析
- 零基礎學MQL:基于EA的自動化交易編程
- 老“碼”識途
- Mastering Ext JS
- Python開發基礎
- 玩轉.NET Micro Framework移植:基于STM32F10x處理器
- 從零開始學UI:概念解析、實戰提高、突破規則
- Mastering Leap Motion
- Clojure Web Development Essentials
- 軟件測試(慕課版)
- HTML并不簡單:Web前端開發精進秘籍