[Openstack] securing connection nova to keystone https

gustavo panizzo <gfa> gfa at zumbi.com.ar
Wed May 7 20:46:01 UTC 2014


On 05/07/2014 04:25 PM, Remo Mattei wrote:
> Hello guys, 
> I wonder if anyone has any suggestions on changing from http to https interprocess communication like nova to keystone etc.. not for the DASHBOARD. 
create a CA for the certs, import the public key of the CA on all the
boxes. it will save you headaches. don't use selfsigned certs

i've used EasyRSA to create the CA and it's certificates

re create the endpoints using ssl, some downtime will be needed during
reconfiguration

the CN on the cert must match the hostname in the endpoints

python ssl performance is not great, if you have high traffic you will
need something external (apache, bigip, nginx?) to terminate ssl traffic

> 
> so all the api calls will go over https. 
> 
> Any other suggestions will be welcomed. 
> 
> Thanks
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 


-- 
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333




More information about the Openstack mailing list