<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Courier New \;color\:\#333333";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Times New Roman","serif";
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Times New Roman","serif";
font-weight:bold;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.yui3-editabletext-text
{mso-style-name:yui3-editable_text-text;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:793063061;
mso-list-type:hybrid;
mso-list-template-ids:-1240071718 392625790 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0F0;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;
mso-fareast-font-family:SimSun;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Still not work…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">keystone user-list<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">Authorization Failed: Unable to sign token. (HTTP 500)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-chen<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">id<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">uid=0(root) gid=0(root) groups=0(root)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">keystone-manage pki_setup --keystone-user 0 --keystone-group 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">..................................................................................................................................................+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">.......................................+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days
3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">........+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">..+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf
-subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d
-cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Using configuration from /etc/keystone/ssl/certs/openssl.conf<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Check that the request matches the signature<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Signature ok<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">The Subject's Distinguished Name is as follows<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">countryName :PRINTABLE:'US'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">stateOrProvinceName :ASN.1 12:'Unset'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">localityName :ASN.1 12:'Unset'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">organizationName :ASN.1 12:'Unset'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">commonName :ASN.1 12:'www.example.com'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Certificate is to be certified until Mar 3 05:01:20 2024 GMT (3650 days)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Write out database with 1 new entries<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Data Base Updated<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Ali, Haneef [mailto:haneef.ali@hp.com]
<br>
<b>Sent:</b> Thursday, March 06, 2014 12:53 PM<br>
<b>To:</b> Li, Chen; Adam Young; openstack@lists.openstack.org<br>
<b>Subject:</b> RE: [Openstack] issue when I using PKI for token format<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">The user/group are not the user, group created in the keystone. They are unix user and unix group. Just run “id” command in unix and take the user name and group name
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Haneef<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Li, Chen [<a href="mailto:chen.li@intel.com">mailto:chen.li@intel.com</a>]
<br>
<b>Sent:</b> Wednesday, March 05, 2014 8:22 PM<br>
<b>To:</b> Adam Young; <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack] issue when I using PKI for token format<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I remember somewhere ask me to do at the very beginning…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">But I can’t re-produce that anymore.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Anyway, When I run command <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> keystone-manage pki_setup<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I get :<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">usage: keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> [-h] --keystone-user KEYSTONE_USER --keystone-group KEYSTONE_GROUP<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup: error: argument --keystone-user is required<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:Wingdings;color:#1F497D"><span style="mso-list:Ignore">ð<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D"> I change my ENV to:<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D"> export SERVICE_TOKEN=ADMIN<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D"> export SERVICE_ENDPOINT=http://host-keystone:35357/v2.0<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D">Then run <o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:.5in"><span style="color:#1F497D">keystone user-list<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">+----------------------------------+---------+---------+-------+<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">| id | name | enabled | email |<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">+----------------------------------+---------+---------+-------+<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">| 618d4218ae584b25a5c0594a6dd1efd4 | cinder | True | |<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">| 851c80fe95d64569a701ca0f461e87eb | glance | True | |<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">| dad121e464174060a4eb46c5fed019bf | lichen | True | |<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">| 958cb6cb788643b79125f1af5d7846d9 | neutron | True | |<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">| 43ecc4544517446e85ecaca34416244b | nova | True | |<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="color:#1F497D">+----------------------------------+---------+---------+-------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">keystone tenant-list<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">+----------------------------------+----------+---------+<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">| id | name | enabled |<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">+----------------------------------+----------+---------+<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">| 044f5ddb818f4b78b9f4aa0e0affd05d | services | True |<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">| 1e57be810f854bcdb73901567140ac48 | test | True |<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">+----------------------------------+----------+---------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D">Then run <o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"> keystone-manage pki_setup --keystone-user dad121e464174060a4eb46c5fed019bf --keystone-group 1e57be810f854bcdb73901567140ac48<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> I get :<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="color:#1F497D">2014-03-06 12:20:04.841 19854 CRITICAL keystone [-] Unknown user 'dad121e464174060a4eb46c5fed019bf' in --keystone-user<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D">Then run <o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:.5in"><span style="color:#1F497D">keystone-manage pki_setup --keystone-user lichen --keystone-group 1e57be810f854bcdb73901567140ac48<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> I get :<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:.5in"><span style="color:#1F497D">2014-03-06 12:20:59.792 20029 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D">Then run <o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:.5in"><span style="color:#1F497D">keystone-manage pki_setup --keystone-user lichen --keystone-group test<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> I get :<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:.5in"><span style="color:#1F497D">2014-03-06 12:21:24.603 20113 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I don’t know how to run the command anymore…..<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-chen<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Adam Young [<a href="mailto:ayoung@redhat.com">mailto:ayoung@redhat.com</a>]
<br>
<b>Sent:</b> Thursday, March 06, 2014 11:56 AM<br>
<b>To:</b> <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack] issue when I using PKI for token format<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 03/05/2014 08:59 PM, Li, Chen wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:.2in;margin-left:0in;line-height:13.5pt;background:white">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">Hi,</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:.2in;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px" id="yui_3_10_3_1_1394071144129_1901">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">I'm working under CentOS 6.4 + Havana, my keystone version is:<br>
openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:.2in;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">When I run command "keystone user-list", I get error:<br>
Authorization Failed: Unable to sign token. (HTTP 500)</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:.2in;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">I can get error information in both "keystone-startup.log" and "keystone.log":</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Did you run keystone-manage pki_setup? Problem is something with your certificates.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:.2in;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'<br>
2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last):<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile)<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3<br>
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki<br>
2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token.<br>
~</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:.2in;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">Anyone know why this happened ???</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:.2in;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">Thanks.<br>
-chen</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">My /etc/keystone/keystone.conf :</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[DEFAULT]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[sql]<br>
connection = mysql://keystone:keystone@host-db/keystone</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[identity]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[credential]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[trust]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[os_inherit]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[catalog]<br>
driver = keystone.catalog.backends.sql.Catalog</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[endpoint_filter]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[token]<br>
driver = keystone.token.backends.memcache.Token</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[cache]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[policy]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[ec2]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[assignment]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[oauth1]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[ssl]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[signing]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[ldap]</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[auth]<br>
methods = external,password,token,oauth1<br>
password = keystone.auth.plugins.password.Password<br>
token = keystone.auth.plugins.token.Token<br>
oauth1 = keystone.auth.plugins.oauth1.OAuth</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:9.6pt;margin-left:0in;line-height:13.5pt;background:white;max-width:
45em;orphans: auto;widows: auto;-webkit-text-stroke-width:
0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">[paste_deploy]</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<pre>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><o:p></o:p></pre>
<pre>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
</body>
</html>