On 07/04/2016 11:14 AM, schmitt wrote: > Hi, > I am learning to configure keystone for tokenless ssl x509 > authorization, according to the document: > http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html. > > when making self-signed certificate with command openssl, > I don't know how to define issuer DN and subject DN for ssl x509. > Is it right as the following? > For example , > If using tokenless authorization between nova service and keystone, > i define issuer DN like the following: It is just a mapping: whatever you chose for the DN needs to be mappable to the username in Keystone. The example has "type": "SSL_CLIENT_S_DN_CN" So if the SSL_CLIENT_S_DN_CN is schmitt at openstack.com then the username needs to be schmitt at openstack.com. There are many attributes you can use for mapping. Here is a decent summary: http://www.freeipa.org/page/Environment_Variables > E=schmitt at openstack.com > CN=schmitt > OU=keystone > O=openstack > L=Sunnyvale > S=California > C=US > and define subject DN like the following: > E=nova at openstack.com > CN=nova #nova user defined in the configuration item > [keystone_authtoken]file“/etc/nova/nova.conf” > OU=default > O=defalult > L=Sunnyvale > S=California > C=US > > Also,is there something special between subject DN and openstack service? > Thanks & Regards, > > schmitt > > > > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160727/2c2ca3c1/attachment.html>