<div dir="ltr">Thank you so much Mark for your helpful inputs.<div><br></div><div>Regards,</div><div>Devendra<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <span dir="ltr"><<a href="mailto:mark.m.miller@hp.com" target="_blank">mark.m.miller@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Devendra,<br>
<br>
We are now using an SSL terminator solution instead of attempting to turn SSL on all of the OpenStack services. I have not attempted to turn SSL on Havana nor Icehouse builds, but the Grizzly base was pretty flakey . Right now the TripleO work is using the "stunnel" proxy server in front of all OpenStack services to terminate SSL. You can then proxy the incoming HTTPS request onto the local <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> bus which is inaccessible from outside your server. It also isolates the SSL terminator from the OpenStack service processes.<br>
<span class="HOEnZb"><font color="#888888"><br>
Mark<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: Devendra Gupta [mailto:<a href="mailto:dev29aug@gmail.com">dev29aug@gmail.com</a>]<br>
Sent: Monday, April 14, 2014 2:30 PM<br>
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); <a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a><br>
Cc: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi<br>
<br>
Hi,<br>
<br>
I want to enable SSL for all the OpenStack APIs and test it but I couldn't find detailed doc on <a href="http://docs.openstack.org" target="_blank">docs.openstack.org</a>. Does anyone have some notes on how to set this up ?<br>
<br>
I did good search around it on Google and OpenStack/RDO mailing list, I found lots of different paths but most of them were limited to Keystone only using 'keystone-manage ssl_setup'. I also found following nice blog which have 6 posts for setting up the SSL for all the components using Apache2 and mod_wsgi.<br>
<br>
<a href="http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keystone/" target="_blank">http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keystone/</a><br>
<br>
I want to go through this doc to do a complete setup but before that I wanted to take few inputs about my environment:<br>
<br>
1. I have OpenStack RDO Havana running on Single CentOS 6 VM. Is it fine to try the steps on OpenStack RDO/Havana setup ? Or I need to have OpenStack setup on Ubuntu/Grizzly ?<br>
<br>
2. Since all the OpenStack components are running on the same host, I guess I need to add VHost entries for all the APIs (mentioned in all 6<br>
docs) in the /etc/httpd/conf/http.conf. Please help me if someone have a sample file VHost file with sites created for some/all components.<br>
<br>
3. Can I have single set of self signed certificate path for all the Virtual Host entries as all APIs are running on the single VM.<br>
SSLCertificateFile /location/of/server.pem<br>
SSLCertificateKeyFile /location/of/server.key<br>
<br>
Another thing, the ketstone configuration part in this blog is having reference to the github page (<a href="http://goo.gl/ZIhcn2" target="_blank">http://goo.gl/ZIhcn2</a>) for configuring Keystone with SSL but I find that doc little difficult to understand as there is no details of configuring virtual hosts so can I skip the github doc and proceed with the same blog.<br>
<br>
Regards,<br>
Devendra Gupta<br>
</div></div></blockquote></div><br></div></div></div>