Open Stack

Also, Can the SSL proxy terminator (based on Apache httpd) reside on the
same controller box? I think, httpd wont be able to listen on same virtual
host ports. In that case, it should be on different server. If someone have
tried this in their setups, please share the details on how you set this up.

Appreciate your help.

Regards,
Hassan


On Thu, Nov 14, 2013 at 12:35 AM, Hassan Shaik <hshaik at gmail.com> wrote:

> Thanks Bryan & Nathan for your replies.
>
> Bryan,
> 1. does this mean SSL support is not present for nova/glance API directly?
> 2. Also, do we need to make use of SSL proxy terminator along with
> enabling SSL in keystone service (which seems to have SSL functionality
> implemented for this service)?
> 3. From the given link, I see the virtual host entries for 80 (Dashboard)
> and for 8447 (nova compute) ports. Do we need to add for other end point
> URL (excluding keystone service) as well, right?
>
>
>
> Regards,
> Hassan
>
>
> On Wed, Nov 13, 2013 at 10:00 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>
>> Hassan,
>>
>> In a production setting, the preferred way to do this is with an SSL
>> terminator.  There are some details in the OpenStack Security Guide:
>>
>> http://docs.openstack.org/security-guide/content/ch020_ssl-everywhere.html
>>
>> Cheers,
>> -bryan
>>
>>
>>
>>
>> On Wed, Nov 13, 2013 at 5:59 PM, Hassan Shaik <hshaik at gmail.com> wrote:
>>
>>> Hello Openstack security experts,
>>>
>>> I am trying to enable SSL/HTTPS in openstack REST API for all services
>>> (nova/glance endpoint URL). However, I see the documentation to enable SSL
>>> on keystone service alone.
>>>
>>>
>>> http://docs.openstack.org/grizzly/openstack-compute/admin/content//keystone-ssl.html
>>> http://docs.openstack.org/developer/keystone/configuration.html
>>>
>>> 1. Am I missing something? Is SSL/HTTPS supported for nova/glance API
>>> too?
>>> 2. Also, when I try to enable SSL in keystone service, all nova/glance
>>> CLI fail to work after the change. And, the debug shows it is trying to
>>> make use of http even after enabling SSL.
>>>
>>> # nova --debug list
>>>
>>> REQ: curl -i *http*://openstack-ip:5000/v2.0/tokens -X POST -H
>>> "Content-Type: application/json" -H "Accept: application/json" -H
>>> "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin",
>>> "passwordCredentials": {"username": "admin", "password": "admin_pass"}}}'
>>>
>>> Appreciate your help.
>>>
>>> Thanks,
>>> Hassan
>>>
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131114/8396ceeb/attachment.html>