
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 14 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:SimSun;

        panose-1:2 1 6 0 3 1 1 1 1 1;}

@font-face

        {font-family:SimSun;

        panose-1:2 1 6 0 3 1 1 1 1 1;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:"\@SimSun";

        panose-1:2 1 6 0 3 1 1 1 1 1;}

@font-face

        {font-family:"Courier New \;color\:\#333333";

        panose-1:0 0 0 0 0 0 0 0 0 0;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";

        color:black;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks !<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But, I still get error when I run command:<o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">keystone user-list<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Authorization Failed: Unable to sign token. (HTTP 500)<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Message in /var/log/keystone/keystone.log:<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.659 20794 INFO keystone.common.environment [-] Environment configured as: eventlet<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.929 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:39.930 20794 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:40.783 20817 INFO keystone.common.environment [-] Environment configured as: eventlet<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:41.053 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:35357<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:41.054 20817 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on 0.0.0.0:5000<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI

 with 'keystone-manage pki_setup'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 ERROR keystone.token.providers.pki [-] Unable to sign token<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki Traceback (most recent call last):<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py",

 line 39, in _get_token_id<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     CONF.signing.keyfile)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py",

 line 144, in cms_sign_token<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki   File "/usr/lib/python2.6/site-packages/keystone/common/cms.py",

 line 139, in cms_sign_text<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki     raise environment.subprocess.CalledProcessError(retcode, "openssl")<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status

 3<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.802 20817 TRACE keystone.token.providers.pki<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2014-03-07 09:09:51.832 20817 WARNING keystone.common.wsgi [-] Unable to sign token.        

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I already run command:<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">id<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in"><span style="color:#1F497D">uid=0(root) gid=0(root) groups=0(root)<o:p></o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">keystone-manage pki_setup  --keystone-user 0 --keystone-group 0<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">..................................................................................................................................................+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">.......................................+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days

 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Generating RSA private key, 2048 bit long modulus<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">........+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">..+++<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">e is 65537 (0x10001)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf

 -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d

 -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Using configuration from /etc/keystone/ssl/certs/openssl.conf<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Check that the request matches the signature<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Signature ok<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">The Subject's Distinguished Name is as follows<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">countryName           :PRINTABLE:'US'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">stateOrProvinceName   :ASN.1 12:'Unset'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">localityName          :ASN.1 12:'Unset'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">organizationName      :ASN.1 12:'Unset'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">commonName            :ASN.1 12:'www.example.com'<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Certificate is to be certified until Mar  3 05:01:20 2024 GMT (3650 days)<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Write out database with 1 new entries<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Data Base Updated<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Adam Young [mailto:ayoung@redhat.com]

<br>

<b>Sent:</b> Friday, March 07, 2014 3:01 AM<br>

<b>To:</b> openstack@lists.openstack.org<br>

<b>Subject:</b> Re: [Openstack] issue when I using pki as the token provider<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal">On 03/05/2014 08:58 PM, Li, Chen wrote:<o:p></o:p></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New ;color:#333333","serif"">provider = keystone.token.providers.pki</span><o:p></o:p></p>

</blockquote>

<p class="MsoNormal">That needs to be the full path to the class.<br>

<br>

 keystone.token.providers.pki.Provider<o:p></o:p></p>

</div>

</body>

</html>