[Openstack-security] Enabling SSL/HTTPS for REST API

Hassan Shaik hshaik at gmail.com
Thu Nov 14 08:35:15 UTC 2013


Thanks Bryan & Nathan for your replies.

Bryan,
1. does this mean SSL support is not present for nova/glance API directly?
2. Also, do we need to make use of SSL proxy terminator along with enabling
SSL in keystone service (which seems to have SSL functionality implemented
for this service)?
3. From the given link, I see the virtual host entries for 80 (Dashboard)
and for 8447 (nova compute) ports. Do we need to add for other end point
URL (excluding keystone service) as well, right?



Regards,
Hassan


On Wed, Nov 13, 2013 at 10:00 PM, Bryan D. Payne <bdpayne at acm.org> wrote:

> Hassan,
>
> In a production setting, the preferred way to do this is with an SSL
> terminator.  There are some details in the OpenStack Security Guide:
>
> http://docs.openstack.org/security-guide/content/ch020_ssl-everywhere.html
>
> Cheers,
> -bryan
>
>
>
>
> On Wed, Nov 13, 2013 at 5:59 PM, Hassan Shaik <hshaik at gmail.com> wrote:
>
>> Hello Openstack security experts,
>>
>> I am trying to enable SSL/HTTPS in openstack REST API for all services
>> (nova/glance endpoint URL). However, I see the documentation to enable SSL
>> on keystone service alone.
>>
>>
>> http://docs.openstack.org/grizzly/openstack-compute/admin/content//keystone-ssl.html
>> http://docs.openstack.org/developer/keystone/configuration.html
>>
>> 1. Am I missing something? Is SSL/HTTPS supported for nova/glance API too?
>> 2. Also, when I try to enable SSL in keystone service, all nova/glance
>> CLI fail to work after the change. And, the debug shows it is trying to
>> make use of http even after enabling SSL.
>>
>> # nova --debug list
>>
>> REQ: curl -i *http*://openstack-ip:5000/v2.0/tokens -X POST -H
>> "Content-Type: application/json" -H "Accept: application/json" -H
>> "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin",
>> "passwordCredentials": {"username": "admin", "password": "admin_pass"}}}'
>>
>> Appreciate your help.
>>
>> Thanks,
>> Hassan
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131114/094ef808/attachment.html>


More information about the Openstack-security mailing list