[Openstack] securing connection nova to keystone https

Rob Crittenden rcritten at redhat.com
Wed May 7 21:22:57 UTC 2014


gustavo panizzo <gfa> wrote:
> On 05/07/2014 04:25 PM, Remo Mattei wrote:
>> Hello guys,
>> I wonder if anyone has any suggestions on changing from http to https interprocess communication like nova to keystone etc.. not for the DASHBOARD.
> create a CA for the certs, import the public key of the CA on all the
> boxes. it will save you headaches. don't use selfsigned certs
>
> i've used EasyRSA to create the CA and it's certificates
>
> re create the endpoints using ssl, some downtime will be needed during
> reconfiguration
>
> the CN on the cert must match the hostname in the endpoints
>
> python ssl performance is not great, if you have high traffic you will
> need something external (apache, bigip, nginx?) to terminate ssl traffic

stud seems to be widely used as well.

You'll need to change a slew of configuration files as well to point to 
the new endpoint.

In the conf file for most services you'll need something like:

[keystone_authtoken]
...
cafile = /path/to/cacert.pem
auth_protocol = https
auth_port = 35357
auth_host = fqdn.example.com

Some also have an authuri.

auth_uri = https://fqdn.example.com:5000/v2.0

rob





More information about the Openstack mailing list