This chapter will show you how to enable the SSL in OpenStack for your backup users.
If you are new to OpenStack, you should check with their documentation on general setup available at http://docs.openstack.org/
If you already have a running OpenStack, you can follow our steps to enable SSL.
Here are the OpenStack version used in the following examples:
Here are the values used in the following examples:
Note: The value of the Keystone admin token can be found in the variable name "admin_token" defined inside the keystone configuration file at /etc/keystone/keystone.conf .
Please setup the following variables in bash profile and filters in the proxy-server.conf before you setup a tenant (project), user, roles and storage quota etc.
Step 1: Add the environment variable in the .bash_profile
Example (/root/.bash_profile)---------------------------------------------------------------------------------------------------- : : Trimmed : : export OS_USERNAME=admin export OS_PASSWORD=admin export OS_TENANT_NAME=mybackup export OS_AUTH_URL=https://10.7.54.7:5000/v2.0 export OS_SERVICE_ENDPOINT=https://10.7.54.7:35357/v2.0 export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea : : Trimmed : : ----------------------------------------------------------------------------------------------------
Please login again for profile to take effect.
Note: The value of the OS_SERVICE_TOKEN can be found in the variable name "admin_token" defined inside the keystone configuration file at /etc/keystone/keystone.conf .
To setup the SSL certificates, edit the file /etc/keystone/keystone.conf
Assume you have valid certificate files in
/etc/keystone/ssl_cert.pem
/etc/keystone/ssl_key.pem
/etc/keystone/cacert.pem
which
ssl_cert.pem is the public key file,
ssl_key.pem is the private key file, and
cacert.pem is the CA root certificate file.
Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.
Example (/etc/swift/proxy-server.conf)---------------------------------------------------------------------------------------------------- : : : Trimmed : : : [ssl] enable = True certfile = /etc/keystone/ssl_cert.pem keyfile = /etc/keystone/ssl_key.pem ca_certs = /etc/keystone/cacert.pem : : : Trimmed : : : ----------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------- [root@os ~]# service openstack-keystone restart Stopping keystone: [ OK ] Starting keystone: [ OK ] [root@os ~]# ----------------------------------------------------------------------------------------------------
It is required to use the '--insecure' switch if an untrusted SSL cert is used.
Example---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure service-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+------------+--------------+--------------------------------+ | id | name | type | description | +----------------------------------+------------+--------------+--------------------------------+ | 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer | metering | Openstack Metering Service | | 3134116675a8420a88ef01cdcb0c8728 | cinder | volume | Cinder Service | | b703b91737954d01a2d180f6c3d575ba | cinder_v2 | volumev2 | Cinder Service v2 | | cc787cf0258e46d6a342e1502e7bf6be | glance | image | Openstack Image Service | | b3af7d0a95d34aa7883629df7a7f7f56 | keystone | identity | OpenStack Identity Service | | 10f1a022ada246138aba5834e3622a91 | neutron | network | Neutron Networking Service | | 218b5356d65e4d8382297f72d65c8bbb | nova | compute | Openstack Compute Service | | a809ad43f380400cb55ff2520bb27ab0 | nova_ec2 | ec2 | EC2 Service | | 8b517bd82d4345c895384f9596a29880 | swift | object-store | Openstack Object-Store Service | | 11882e74696547b0ba1e4d276074ae37 | swift_s3 | s3 | Openstack S3 Service | +----------------------------------+------------+--------------+--------------------------------+ [root@os ~]# ----------------------------------------------------------------------------------------------------
The swift id is shown in bold.
---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure endpoint-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+-----------+--- ---+----------------------------------+ | id | region | ......Trimmed...... | service_id | +----------------------------------+-----------+--- ---+----------------------------------+ | 00a39b6e21a24562b470b61a1b82902d | RegionOne | h )s | 218b5356d65e4d8382297f72d65c8bbb | | 047f9c3dd19743e280a553d8a34a9202 | RegionOne | ......Trimmed...... | 10f1a022ada246138aba5834e3622a91 | | 2b89407a81574b2c8f0fdef9eefc507a | RegionOne | | 5f805cc7df2a43eb90db6fe11ed682f6 | | 47b6d5974d744c21a04b6ca2781f57a0 | RegionOne | )s | b703b91737954d01a2d180f6c3d575ba | | 485ba5a748fc4f1e865d08774fae8ff7 | RegionOne | | b3af7d0a95d34aa7883629df7a7f7f56 | | 90bb1d878b7045f086e2ada7ce853308 | RegionOne | ht ......Trimmed...... )s | 3134116675a8420a88ef01cdcb0c8728 | | 9ac0472cb48f49b3b44cb4e3365be01a | RegionOne | | 11882e74696547b0ba1e4d276074ae37 | | a1af6685d3e04e5fa7b71f6c244f1393 | RegionOne | ht | 8b517bd82d4345c895384f9596a29880 | | a9b9c9fbef6a44669788c1946a3c8e48 | RegionOne | | cc787cf0258e46d6a342e1502e7bf6be | | c370061d0cc64386a470a5a0fb01e424 | RegionOne | ......Trimmed...... n | a809ad43f380400cb55ff2520bb27ab0 | +----------------------------------+-----------+--- ---+----------------------------------+ [root@os ~]# ----------------------------------------------------------------------------------------------------
Lookup the endpoint for the swift service with the service_id=8b517bd82d4345c895384f9596a29880
Delete the service endpoint with the id a1af6685d3e04e5fa7b71f6c244f1393 which can be found in the same row in the swift service.
Example---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure endpoint-delete a1af6685d3e04e5fa7b71f6c244f1393 WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). Endpoint has been deleted. [root@os ~]# ----------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure endpoint-create --region RegionOne --service-id=8b517bd82d4345c895384f9596a29880 --publicurl 'https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://10.7.54.7:8080/v1' --internalurl ' https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +-------------+----------------------------------------------+ | Property | Value | +-------------+----------------------------------------------+ | adminurl | https://10.7.54.7:8080/v1 | | id | fb937c038fd34724bd7415fff3ee7736 | | internalurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s | | publicurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s | | region | RegionOne | | service_id | 8b517bd82d4345c895384f9596a29880 | +-------------+----------------------------------------------+ [root@os ~]# ----------------------------------------------------------------------------------------------------
Edit the file proxy-server.conf , add the contents that are highlighted in red in the below example.
Assume you have valid certificate files in
/etc/swift/ssl_cert.pem
/etc/swift/ssl_key.pem
which
ssl_cert.pem is the public key file, and
ssl_key.pem is the private key file.
Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.
Example (/etc/swift/proxy-server.conf)---------------------------------------------------------------------------------------------------- # This file is managed by puppet. Do not edit # [DEFAULT] bind_port = 8080 bind_ip = 10.7.54.7 : : : Trimmed : : : cert_file = /etc/swift/ssl_cert.pem key_file = /etc/swift/ssl_key.pem : : : Trimmed : : : [filter:authtoken] : : : Trimmed : : : auth_protocol = https auth_uri = https://10.7.54.7:5000 insecure = true ----------------------------------------------------------------------------------------------------
Restart the swift related service after you have modified the config file /etc/swift/proxy-server.conf .
Example---------------------------------------------------------------------------------------------------- [root@os ~]# swift-init main restart Signal proxy-server pid: 17166 signal: 15 Signal container-server pid: 17167 signal: 15 Signal account-server pid: 17168 signal: 15 Signal object-server pid: 17169 signal: 15 object-server (17169) appears to have stopped container-server (17167) appears to have stopped account-server (17168) appears to have stopped proxy-server (17166) appears to have stopped Starting proxy-server...(/etc/swift/proxy-server.conf) Starting container-server...(/etc/swift/container-server.conf) Starting account-server...(/etc/swift/account-server.conf) Starting object-server...(/etc/swift/object-server.conf) WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment. [root@os ~]# ----------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------- [root@os ~]# swift --insecure stat Account: AUTH_49f2482ecff9431bae1d32fa2a004026 Containers: 8 Objects: 480 Bytes: 189030388 Meta Quota-Bytes: 10737418240 X-Timestamp: 1412574345.10669 Content-Type: text/plain; charset=utf-8 Accept-Ranges: bytes [root@os ~]# ----------------------------------------------------------------------------------------------------