[openstack-dev] SSL and devstack
Gabriel Hurley
Gabriel.Hurley at nebula.com
Sat Oct 27 20:28:32 UTC 2012
Are you advocating enabling SSl just for Keystone? Or for all services? I don't think you are (and hope you're not) advocating enabling it by default for Horizon since browsers will throw up the red "untrusted certificate" page and I don't want to train people to click through that.
Moreover, though most of the clients support certificate checking, only some of the clients (keystoneclient included) support checking against a user-specified certificate. I'm in favor of the work being done to bring all the clients into line there; I'm just putting it forward that right now it's not all there to the best of my knowledge.
- Gabriel
> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: Friday, October 26, 2012 6:17 PM
> To: OpenStack Development Mailing List
> Subject: [openstack-dev] SSL and devstack
>
> Although SSL in Python is slow, we really should enable it in devstack from
> here on out. My understanding is that people with live deployments front
> Keystone with some other SSL terminator. We should thus plan on running
> the python-keystoneclient code through SSL by default to make sure all SSL
> issues are shaken out.
>
> If you run keystone-manage --pki_setup it generates a CA certificate for
> you. This is done by default in devstack, in order to get pki tokens to work.
> However, there are no SSL certifcates provided. The config documentation
> states: "a set of sample certficates is provided in the examples/ssl directory
> with the Keystone distribution for testing." However, it uses a different CA
> than the one in the test/signing, so there is no one set of certificates we can
> provide.
>
> I think I would like to add an additional option to the keystone-manage
> CLI: --ssl_setup. What I would like to do is gather what the requirements for
> this should be. To start:
>
> 1. If no CA is in the path indicated by the config file, generate a self signed
> one. The assumption is that this code will be common between pki and ssl
> setup.
> 2. Use the CA from the above path to sign the ssl certificate.
>
> I am assuming that most organizations large enough to have Open Stack have
> their own Public Key Infrastructure. Thus, the self signed CA and SSL cert
> should not be the norm. WHat I am wondering is if there is anything we
> should be doing. For those cases. There is no standard for remotely
> submitting a Certificate Signing Request (CSR) and getting back a signed
> certificate. We can generate a csr based on the hostname of the machine,
> and that way we know that the certificate is formatted for SSL, but is it really
> better to write a tool to do this (it is goingto be done once very year or there
> about) or just point the users at decent documentation about how to do it
> themselves?
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list