[openstack-dev] Keystone Apache2 Installation Question

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Thu Oct 10 00:17:42 UTC 2013 

Hi Kevin,

It has been awhile, but here are some notes I took.

Regards,

Mark Miller

---------------------------------

Keystone Apache2 frontend Installation and Configuration

Instructions below are based off of documentation/examples from URL https://keystone-voms.readthedocs.org/en/latest/requirements.html
Install Apache2 WSGI with mod_ssl enabled. To do so, install the packages, and enable the relevant modules:
sudo apt-get install apache2 libapache2-mod-wsgi 
sudo a2enmod ssl
sudo ufw disable  #Note: not sure if need to  disable firewall

Then configure your Apache server to use CA certificates. If you have some installed in the default location, enable the default-ssl site (a2ensite default-ssl) and modify its configuration file (normally in /etc/apache2/sites-enabled/default-ssl). If not, create configuration file "/etc/apache2/sites-enabled/keystone" for your keystone installation. 
Note: I created file "/etc/apache2/sites-enabled/keystone" shown below. 
Example:
WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10

Listen 5000
<VirtualHost _default_:5000>
    LogLevel info
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/apache.cert
    SSLCertificateKeyFile /etc/ssl/private/apache.key

    SSLCACertificatePath /etc/ssl/certs
    SSLCARevocationPath /etc/ssl/certs
    SSLVerifyClient optional
    SSLVerifyDepth 10
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLOptions +StdEnvVars +ExportCertData

    WSGIScriptAlias /  /usr/lib/cgi-bin/keystone/main
    WSGIProcessGroup keystone
</VirtualHost>

Listen 35357
<VirtualHost _default_:35357>
    LogLevel info
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/apache.cert
    SSLCertificateKeyFile /etc/ssl/private/apache.key


    SSLCACertificatePath /etc/ssl/certs
    SSLCARevocationPath /etc/ssl/certs
    SSLVerifyClient optional
    SSLVerifyDepth 10
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLOptions +StdEnvVars +ExportCertData

    WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin
    WSGIProcessGroup keystone
</VirtualHost> 

Note1: By changing settings in this file you can turn on and off the Apache2-SSL frontend to Keystone (variable SSL_Engine).
Note2: The "[ssl]" section of file "keystone.conf" needs to match this file in that if SSL is turned on in one of them, then it needs to be turned on in the other. 
To run keystone as a WSGI app, copy file "keystone.py" to the correct location and create links to it.
sudo mkdir -p /usr/lib/cgi-bin/keystone
sudo cp /<path>/keystone-2013.2.b2/httpd/keystone.py /usr/lib/cgi-bin/keystone/keystone.py
sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/main
sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/admin

If the keystone service is running, shut it down. The Apache2 service will now start up as many instances of keystone as are specified on the first line of file "/etc/apache2/sites-enabled/keystone".
sudo service keystone stop

Adjust the "keystone.py" file to point to your keystone configuration file "if" it is not in the default location (i.e. "/etc/keystone/keystone.conf"). 
Note: I did not make any changes to file keystone.py.
Add variable OPENSSL_ALLOW_PROXY_CERTS to your Apache2 environment file "/etc/apache2/ envvars" so that X.509 proxy certificates are accepted by OpenSSL.
export OPENSSL_ALLOW_PROXY_CERTS=1

If you don't have server certificates for your Apache2 server, generate your own self-signed certificates following instructions from URL:
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.cert
When prompted, use the name of your server for the common name.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Corvallis
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hewlett-Packard
Organizational Unit Name (eg, section) []:CloudOS
Common Name (e.g. server FQDN or YOUR name) []:havanatest
Email Address []:mark.m.miller at hp.com

Add the server name to your "/etc/hosts" file. 
127.0.1.1       havanatest

Add the full IP address and server name to your REST client computer's "/etc/hosts" file. The name in the REST client URL must match the name of the server/common-name found in the certificate. 
15.253.57.66	havanatest 

I ran into a problem with the Apache2 server startup because it was not able to reliably determine my test server's fully qualified domain name. Following instructions from the following URL allowed me to bypass this issue by adding the server name to file "/etc/apache2/httpd.conf".

http://aslamnajeebdeen.com/blog/how-to-fix-apache-could-not-reliably-determine-the-servers-fully-qualified-domain-name-using-127011-for-servername-error-on-ubuntu 

Example:
servername havanatest

Finally, restart the Apache2 service and check to see that apache2 and keystone are running.

sudo service apache2 restart

ps -ef | grep apache2
root      4463     1  1 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  4464  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
keystone  4468  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
keystone  4469  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
keystone  4470  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  4471  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  4472  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
root      4564  2483  0 10:41 pts/2    00:00:00 grep --color=auto apache2

ps -ef | grep keystone
keystone  4468  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
keystone  4469  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
keystone  4470  4463  0 10:41 ?        00:00:00 /usr/sbin/apache2 -k start
root      4566  2483  0 10:42 pts/2    00:00:00 grep --color=auto keystone

With the above configuration and assuming that the Keystone host is "havanatest", the Keystone endpoint URLs will be as follow:
*	https:// havanatest:5000/v3
*	https:// havanatest:35357/v3




> -----Original Message-----
> From: Fox, Kevin M [mailto:kevin.fox at pnnl.gov]
> Sent: Wednesday, October 09, 2013 4:59 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
> 
> I've just started playing around with Keystone under Apache. I have
> managed to get it embedded now and all services talking to it.
> 
> Now, I'm trying to get it to do apache authentication. The documentation
> states that it should honor REMOTE_USER if its present.
> 
> The default wsgi-keystone.conf has this in it:
> <Location "/keystone">
>  NSSRequireSSL
>  Authtype none
> </Location>
> 
> Which Locations do you put Apache auth plugins on? Putting it on all of
> /keystone seems wrong. I tried putting it only on <Location
> "/keystone/main/v2.0/tokens"> and that didn't work either...
> 
> Looking at the token api, it doesn't look like it does basic auth at all, expecting
> the username/password to be passed through a json document? So perhaps
> what I am trying to do will never work? Do I have to set some flag to get
> python-keystoneclient/Dashboard to pass the username/password as
> basicauth instead of in a json form?
> 
> Thanks,
> Kevin
> 
> 
> 
> ________________________________________
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> [mark.m.miller at hp.com]
> Sent: Monday, August 12, 2013 4:17 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
> 
> Progress: Got Keystone working under Apache2 with HTTP based on the
> following 2 URLs . HTTPS is the next.
> 
> https://keystone-voms.readthedocs.org/en/latest/requirements.html
> https://www.digitalocean.com/community/articles/how-to-create-a-ssl-
> certificate-on-apache-for-ubuntu-12-04
> 
> Mark
> 
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> Sent: Monday, August 12, 2013 3:10 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
> 
> Looks like I may be ahead of the game. It doesn't look like this blueprint has
> been started yet. Am I correct?
> 
> https://blueprints.launchpad.net/devstack/+spec/devstack-setup-apache-
> keystone
> 
> A very valuable feature of Keystone is to configure it to leverage apache as
> its front end. As a means of demonstrating how this works, and to facilitate
> automated testing of this configuration in the future, support to devstack will
> be added to enable it to optionally install and configure keystone using
> apache as it front end. The design approach used will be that described in the
> keystone docs:
> https://github.com/openstack/keystone/blob/master/doc/source/apache-
> httpd.rst
> Thanks,
> 
> Mark
> 
> 
> 
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> Sent: Monday, August 12, 2013 1:45 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
> 
> The commands/libraries  do not exist for Ubuntu, Keystone no longer starts
> up, directories between the sets of documents do not match, ...
> 
> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
> Sent: Monday, August 12, 2013 1:41 PM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] Keystone Apache2 Installation Question
> 
> What problem(s) are you running into when following the above
> documentation / examples?
> 
> On Mon, Aug 12, 2013 at 3:32 PM, Miller, Mark M (EB SW Cloud - R&D -
> Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
> Hello,
> 
> I am looking for documentation on how to install/configure Apache2 as the
> Keystone front end for "Ubuntu 12.04". I have found various documentation
> snippets for a variety of applications and operating systems, but nothing for
> Ubuntu. Any pointers would greatly be appreciated. I have been trying to
> piece the installation/configuration from the following URLs but have yet to
> be successful.
> 
> http://docs.openstack.org/developer/keystone/apache-
> httpd.html#keystone-configuration
> https://keystone-voms.readthedocs.org/en/latest/requirements.html
> https://github.com/enovance/keystone-wsgi-
> apache/blob/master/provision.sh
> http://adam.younglogic.com/2012/04/keystone-httpd/
> 
> Regards,
> 
> Mark
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org<mailto:OpenStack-
> dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> --
> 
> -Dolph
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list