OpenStack Identity (keystone)

How to setup SSL on Openstack API endpoints

Asked by George John

Hi,
I have Openstack Essex 2012.1 setup on Ubuntu 12.04. I could not find any instructions on how to setup SSL on the openstack API endpoints (HTTPS). I saw a blueprint regarding this : https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl
Reading the blueprint and related bug, I get a feeling that SSL on Openstack API endpoints have not been implemented yet ( in Essex). Is my understanding correct?

But while reading the openstack documentation for Keystone, I see a section on "SSL" http://docs.openstack.org/developer/keystone/configuration.html?highlight=ssl#ssl
I followed the instructions of updating the keystone.conf with the entries specified and I restarted the keystone service but I don't see SSL enabled. I verified this by running the command "keystone --debug tenant-list". From the output of the command, I still see HTTP being used.
Could you please tell me if I there are other steps to be followed to setup SSL on keystone? Could you point me to the complete instructions to setup SSL on keystone? Just updating the keystone.conf did not seem to work.

Thank you.

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
Joseph Heck
Solved:
Last query:
Last reply:
Revision history for this message
Joseph Heck (heckj) said : 		#1

The SSL components have *not* been installed directly in the python code as of Essex, but are in the Folsom-2 milestone. For wrapping keystone in SSL with the essex release, it's expected that you'll do arrange the SSL termination external to keystone itself - using Apache or Nginx as a reverse proxy, an F5 load balancer, or something similar.

The instructions should work correctly for the folsom-2 milestone (or current master)

Revision history for this message
George John (george-john) said : 		#2

Joseph, thank you for your response. Our aim is to setup SSL on both Nova and Keystone API endpoints. As per your suggestion, in Essex release, the way to do this is to setup a reverse proxy on these API endpoints. I am just trying to understand... By settin g up the proxy, the communication from outside to these API endpoints will be secure but the internal communication between Nova and Keystone will still be over HTTP (and not HTTPS). Am I correct?

Thank you.

Revision history for this message
Best Joseph Heck (heckj) said : 		#3

George - typically the traffic encryption when using a reverse proxy setup is terminated at the reverse proxy device - wether that's an F5, or nginx+ssl, and the traffic between that device (or software component) and keystone (or nova) is unencrypted. The general pattern in many deployments is that the unencrypted traffic is getting run over a private network where snooping isn't a concern.

Revision history for this message
George John (george-john) said : 		#4

Thank you Joseph for your response. I was able to get a apache reverse proxy setup working.