
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 14 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:"Courier New \;color\:\#333333";

        panose-1:0 0 0 0 0 0 0 0 0 0;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";

        color:black;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.MsoAcetate, li.MsoAcetate, div.MsoAcetate

        {mso-style-priority:99;

        mso-style-link:"Balloon Text Char";

        margin:0in;

        margin-bottom:.0001pt;

        font-size:8.0pt;

        font-family:"Tahoma","sans-serif";

        color:black;}

span.EmailStyle17

        {mso-style-type:personal;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

span.BalloonTextChar

        {mso-style-name:"Balloon Text Char";

        mso-style-priority:99;

        mso-style-link:"Balloon Text";

        font-family:"Tahoma","sans-serif";

        color:black;}

span.EmailStyle20

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">[signing]<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">#certfile = /etc/keystone/ssl/certs/signing_cert.pem<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">#keyfile = /etc/keystone/ssl/private/signing_key.pem<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">#ca_certs = /etc/keystone/ssl/certs/ca.pem<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">These are the default configuration files location.  Keystone-manage pki-setup would have generated those files at that location.  Check whether the files are there in that

 location, if not adjust the config settings to correct patch. Also make sure those files are readable  by the  keystone process.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">Thanks<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">Haneef<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif";color:#1F497D">PS:  You can also look at your question at ask.openstack.org where I have replied<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Li, Chen [mailto:chen.li@intel.com]

<br>

<b>Sent:</b> Thursday, March 06, 2014 5:12 PM<br>

<b>To:</b> Adam Young; openstack@lists.openstack.org<br>

<b>Subject:</b> Re: [Openstack] issue when I using pki as the token provider<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks !<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But, I still get error when I run command:<o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">keystone user-list<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Authorization Failed: Unable to sign token. (HTTP 500)<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Message in /var/log/keystone/keystone.log:<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI

 with 'keystone-manage pki_setup'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last):<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py",

 line 39, in _get_token_id<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     CONF.signing.keyfile)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py",

 line 144, in cms_sign_token<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py",

 line 139, in cms_sign_text<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     raise environment.subprocess.CalledProcessError(retcode, "openssl")<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status

 3<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token.        

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I already run command:<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">id<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="color:#1F497D">uid=0(root) gid=0(root) groups=0(root)<o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">keystone-manage pki_setup  --keystone-user 0 --keystone-group 0<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">..................................................................................................................................................+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">.......................................+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days

 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">........+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">..+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf

 -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d

 -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Using configuration from /etc/keystone/ssl/certs/openssl.conf<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Check that the request matches the signature<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Signature ok<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">The Subject's Distinguished Name is as follows<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">countryName           :PRINTABLE:'US'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">stateOrProvinceName   :ASN.1 12:'Unset'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">localityName          :ASN.1 12:'Unset'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">organizationName      :ASN.1 12:'Unset'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">commonName            :ASN.1 12:'www.example.com'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Certificate is to be certified until Mar  3 05:01:20 2024 GMT (3650 days)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Write out database with 1 new entries<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Data Base Updated<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Adam Young [<a href="mailto:ayoung@redhat.com">mailto:ayoung@redhat.com</a>]

<br>

<b>Sent:</b> Friday, March 07, 2014 3:01 AM<br>

<b>To:</b> <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>

<b>Subject:</b> Re: [Openstack] issue when I using pki as the token provider<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal">On 03/05/2014 08:58 PM, Li, Chen wrote:<o:p></o:p></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">provider = keystone.token.providers.pki</span><o:p></o:p></p>

</blockquote>

<p class="MsoNormal">That needs to be the full path to the class.<br>

<br>

 keystone.token.providers.pki.Provider<o:p></o:p></p>

</div>

</body>

</html>