Open Stack

Yes keystone can run under SSL using the eventlet server. Look for the ssl section in keystone.conf 
https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L296

You'll want to set enabled, certfile and keyfile, from memory ca_certs is to do with client side certs.

Jamie



----- Original Message -----
> From: "Mark M Miller (EB SW Cloud - R&D - Corvallis)" <mark.m.miller at hp.com>
> To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org>
> Sent: Saturday, 26 October, 2013 4:31:09 AM
> Subject: Re: [openstack-dev] Keystone TLS Question
> 
> 
> 
> Hello again,
> 
> 
> 
> It looks to me that TLS is automatically supported by the Keystone Havana. I
> performed the following curl call and it seems to indicate that Keystone is
> using TLS. Can anyone validate that Keystone Havana does or does not support
> TLS?
> 
> 
> 
> Thanks,
> 
> 
> 
> Mark
> 
> 
> 
> root at build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone# curl -v --insecure
> https://15.253.58.165:35357/v2.0/certificates/signing
> 
> 
> 
> * About to connect() to 15.253.58.165 port 35357 (#0)
> 
> * Trying 15.253.58.165... connected
> 
> * successfully set certificate verify locations:
> 
> * CAfile: none
> 
> CApath: /etc/ssl/certs
> 
> * SSLv3, TLS handshake, Client hello (1):
> 
> * SSLv3, TLS handshake, Server hello (2):
> 
> * SSLv3, TLS handshake, CERT (11):
> 
> * SSLv3, TLS handshake, Server finished (14):
> 
> * SSLv3, TLS handshake, Client key exchange (16):
> 
> * SSLv3, TLS change cipher, Client hello (1):
> 
> * SSLv3, TLS handshake, Finished (20):
> 
> * SSLv3, TLS change cipher, Client hello (1):
> 
> * SSLv3, TLS handshake, Finished (20):
> 
> * SSL connection using AES256-SHA
> 
> * Server certificate:
> 
> * subject: C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone;
> emailAddress=keystone at openstack.org; CN=Keystone
> 
> * start date: 2013-03-15 01:44:55 GMT
> 
> * expire date: 2013-03-15 01:44:55 GMT
> 
> * common name: Keystone (does not match '15.253.58.165')
> 
> * issuer: serialNumber=5; C=US; ST=CA; L=Sunnyvale; O=OpenStack; OU=Keystone;
> emailAddress=keystone at openstack.org; CN=Self Signed
> 
> * SSL certificate verify result: unable to get local issuer certificate (20),
> continuing anyway.
> 
> > GET /v2.0/certificates/signing HTTP/1.1
> 
> > User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1
> > zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> 
> > Host: 15.253.58.165:35357
> 
> > Accept: */*
> 
> > 
> 
> < HTTP/1.1 200 OK
> 
> < Content-Type: text/html; charset=UTF-8
> 
> < Content-Length: 973
> 
> < Date: Fri, 25 Oct 2013 18:27:52 GMT
> 
> <
> 
> -----BEGIN CERTIFICATE-----
> 
> MIICoDCCAgkCAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
> 
> BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
> 
> EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
> 
> ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
> 
> …
> 
> 3S9E696tVhWqc+HAW91KgZcIwAgQrxWeC0x5O76Q3MGrxvWwyMHPlsxyL4H67AnI
> 
> wq8zJxOFtzvP8rVWrQ3PnzBozXKuU3VLPqAsDI4nDxjqFpVf3LYCFDRueS2EI5xc
> 
> 5/rt9g==
> 
> -----END CERTIFICATE-----
> 
> * Connection #0 to host 15.253.58.165 left intact
> 
> * Closing connection #0
> 
> * SSLv3, TLS alert, Client hello (1):
> 
> root at build-HP-Compaq-6005-Pro-SFF-PC:/etc/keystone#
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> Sent: Friday, October 25, 2013 8:58 AM
> To: OpenStack Development Mailing List
> Subject: [openstack-dev] Keystone TLS Question
> 
> 
> 
> 
> 
> Hello,
> 
> 
> 
> Is there any direct TLS support by Keystone other than using the Apache2
> front end?
> 
> 
> 
> Mark
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>