[Openstack] issue when I using PKI for token format

Li, Chen chen.li at intel.com
Thu Mar 6 05:03:54 UTC 2014


Still not work...

keystone user-list
Authorization Failed: Unable to sign token. (HTTP 500)


Thanks.
-chen


id
uid=0(root) gid=0(root) groups=0(root)

keystone-manage pki_setup  --keystone-user 0 --keystone-group 0

2014-03-06 13:01:19.905 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................................+++
.......................................+++
e is 65537 (0x10001)
2014-03-06 13:01:20.171 23316 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.178 23316 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
..+++
e is 65537 (0x10001)
2014-03-06 13:01:20.199 23316 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2014-03-06 13:01:20.205 23316 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
Using configuration from /etc/keystone/ssl/certs/openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'Unset'
localityName          :ASN.1 12:'Unset'
organizationName      :ASN.1 12:'Unset'
commonName            :ASN.1 12:'www.example.com'
Certificate is to be certified until Mar  3 05:01:20 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated



From: Ali, Haneef [mailto:haneef.ali at hp.com]
Sent: Thursday, March 06, 2014 12:53 PM
To: Li, Chen; Adam Young; openstack at lists.openstack.org
Subject: RE: [Openstack] issue when I using PKI for token format

The user/group are not the user, group created in the keystone. They are unix user and unix group. Just run "id" command in unix and take the user name and group name

Thanks
Haneef

From: Li, Chen [mailto:chen.li at intel.com]
Sent: Wednesday, March 05, 2014 8:22 PM
To: Adam Young; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] issue when I using PKI for token format

I remember  somewhere ask me to do at the very beginning...
But I can't re-produce that anymore.



Anyway, When I run command

        keystone-manage pki_setup

I get :

usage: keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup
       [-h] --keystone-user KEYSTONE_USER --keystone-group KEYSTONE_GROUP
keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush] pki_setup: error: argument --keystone-user is required



ð   I change my ENV to:



        export SERVICE_TOKEN=ADMIN

       export SERVICE_ENDPOINT=http://host-keystone:35357/v2.0



Then run

keystone user-list

+----------------------------------+---------+---------+-------+

|                id                |   name  | enabled | email |

+----------------------------------+---------+---------+-------+

| 618d4218ae584b25a5c0594a6dd1efd4 |  cinder |   True  |       |

| 851c80fe95d64569a701ca0f461e87eb |  glance |   True  |       |

| dad121e464174060a4eb46c5fed019bf |  lichen |   True  |       |

| 958cb6cb788643b79125f1af5d7846d9 | neutron |   True  |       |

| 43ecc4544517446e85ecaca34416244b |   nova  |   True  |       |

+----------------------------------+---------+---------+-------+

keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 044f5ddb818f4b78b9f4aa0e0affd05d | services |   True  |
| 1e57be810f854bcdb73901567140ac48 |   test   |   True  |
+----------------------------------+----------+---------+


Then run
                keystone-manage pki_setup  --keystone-user dad121e464174060a4eb46c5fed019bf --keystone-group 1e57be810f854bcdb73901567140ac48

                I get :
2014-03-06 12:20:04.841 19854 CRITICAL keystone [-] Unknown user 'dad121e464174060a4eb46c5fed019bf' in --keystone-user


Then run

keystone-manage pki_setup  --keystone-user lichen --keystone-group 1e57be810f854bcdb73901567140ac48
                I get :

2014-03-06 12:20:59.792 20029 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user


Then run

keystone-manage pki_setup  --keystone-user lichen --keystone-group test
                I get :

2014-03-06 12:21:24.603 20113 CRITICAL keystone [-] Unknown user 'lichen' in --keystone-user

I don't know how to run the command anymore.....

Thanks.
-chen




From: Adam Young [mailto:ayoung at redhat.com]
Sent: Thursday, March 06, 2014 11:56 AM
To: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] issue when I using PKI for token format

On 03/05/2014 08:59 PM, Li, Chen wrote:

Hi,

I'm working under CentOS 6.4 + Havana, my keystone version is:
          openstack-keystone.noarch 2013.2.2-1.el6 @openstack-havana

When I run command "keystone user-list", I get error:
         Authorization Failed: Unable to sign token. (HTTP 500)

I can get error information in both "keystone-startup.log" and "keystone.log":
Did you run keystone-manage pki_setup?  Problem is something with your certificates.

2014-03-06 09:31:29.999 18693 ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
2014-03-06 09:31:29.999 18693 ERROR keystone.token.providers.pki [-] Unable to sign token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki Traceback (most recent call last):
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/token/providers/pki.py", line 39, in _get_token_id
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CONF.signing.keyfile)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 144, in cms_sign_token
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki output = cms_sign_text(text, signing_cert_file_name, signing_key_file_name)
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki File "/usr/lib/python2.6/site-packages/keystone/common/cms.py", line 139, in cms_sign_text
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki raise environment.subprocess.CalledProcessError(retcode, "openssl")
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki CalledProcessError: Command 'openssl' returned non-zero exit status 3
2014-03-06 09:31:29.999 18693 TRACE keystone.token.providers.pki
2014-03-06 09:31:30.000 18693 WARNING keystone.common.wsgi [-] Unable to sign token.
~

Anyone know why this happened ???

Thanks.
-chen



My /etc/keystone/keystone.conf :

[DEFAULT]

[sql]
connection = mysql://keystone:keystone@host-db/keystone

[identity]

[credential]

[trust]

[os_inherit]

[catalog]
driver = keystone.catalog.backends.sql.Catalog

[endpoint_filter]

[token]
driver = keystone.token.backends.memcache.Token

[cache]

[policy]

[ec2]

[assignment]

[oauth1]

[ssl]

[signing]

[ldap]

[auth]
methods = external,password,token,oauth1
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth

[paste_deploy]



_______________________________________________

Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>

Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140306/8660ed99/attachment.html>


More information about the Openstack mailing list