<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Courier New \;color\:\#333333";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks !<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But, I still get error when I run command:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">keystone user-list<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Authorization Failed: Unable to sign token. (HTTP 500)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Message in /var/log/keystone/keystone.log:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI
with 'keystone-manage pki_setup'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last):<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py",
line 39, in _get_token_id<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CONF.signing.keyfile)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py",
line 144, in cms_sign_token<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py",
line 139, in cms_sign_text<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status
3<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I already run command:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">id<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="color:#1F497D">uid=0(root) gid=0(root) groups=0(root)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">keystone-manage pki_setup --keystone-user 0 --keystone-group 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">..................................................................................................................................................+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">.......................................+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days
3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">........+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">..+++<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf
-subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d
-cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Using configuration from /etc/keystone/ssl/certs/openssl.conf<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Check that the request matches the signature<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Signature ok<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">The Subject's Distinguished Name is as follows<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">countryName :PRINTABLE:'US'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">stateOrProvinceName :ASN.1 12:'Unset'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">localityName :ASN.1 12:'Unset'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">organizationName :ASN.1 12:'Unset'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">commonName :ASN.1 12:'www.example.com'<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Certificate is to be certified until Mar 3 05:01:20 2024 GMT (3650 days)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Write out database with 1 new entries<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Data Base Updated<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Adam Young [mailto:ayoung@redhat.com]
<br>
<b>Sent:</b> Friday, March 07, 2014 3:01 AM<br>
<b>To:</b> openstack@lists.openstack.org<br>
<b>Subject:</b> Re: [Openstack] issue when I using pki as the token provider<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 03/05/2014 08:58 PM, Li, Chen wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">provider = keystone.token.providers.pki</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">That needs to be the full path to the class.<br>
<br>
keystone.token.providers.pki.Provider<o:p></o:p></p>
</div>
</body>
</html>