Red Hat Bugzilla – Bug 817846
Add in SSL Support
Last modified: 2013-03-01 17:00:58 EST
Description of problem:
Keystone is the authentication server, but currently all traffic goes in the clear.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Install Run according to Getting started guide
Traffic goes in clear
Traffic should go via SSL
To get good SSL support will require running in HTTPD.
It will also require notes on getting the other components to talk to Keystone via port 443
Created attachment 581403 [details]
WSGI connector file, to be linked in /var/www/cgi-bin or comparable directory
This will put the admin server under /keystone/admin and the main Keystone server under /keystone/main. I did this by hardlinking the keystone.py wsgi file into /var/www/cgi-bin, but it probably should be under /usr/share from an RPM, and then either linked or copied into place.
[ayoung@ayoung apache-websocket]$ cat /etc/httpd/conf.d/keystone.conf
WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Fixed upstream with https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902
Additional work by Derrek Higgens has shown how we can front with HTTPD for SSL termination.
In case that the CA certificate does not come with the distribution, python-keystoneclient fails due to validation of the CA.
Jose, I think that is the correct behavior. CA and Certificate management are always part of dealing with SSL.
The CA should not come from the distribution, it is up to the System administrator to distribute the CA
python-keystoneclient uses python-httplib package. This packege gets the CA certificates from /etc/pki/tls/certs/ca-bundle.crt as it is patched in the RPM from EPEL.
In our case, the CA is not in the bundle so and keystoneclient is taking the default one, so I saw several possibilities:
- specify as an extra parameter to keystoneclient
- append our CA chain in ca-bundle.crt
- modify httplib to point to our bundle
The latter two possibilities are non-friendly to maintain it, so this is why I was asking upstream to have an extra parameter when the CA was not in the bundle.
SSL support is in upstream, Fedora, and EPEL