openstack/openstack-manuals
Code Issues Proposed changes
Files
11e1a458bd8e9cbf3e105aba04c613915342f363
openstack-manuals/doc/admin-guide-cloud/source/keystone_configure_with_SSL.rst
zhu.rong 6f0750334d [admin-guide-cloud]Fix the keystone wrong config path 
keystone_configure_with_SSL.rst and identity_management.rst
use the /etc/keystone.conf as config path,
the config path should /etc/keystone/keystone.conf

Change-Id: Icdb399854437628691376f0713d81ac80942796a
Closes-bug: #1502150
2015-10-02 21:44:20 +08:00

76 lines
2.1 KiB
ReStructuredText
Raw Blame History

=======================================
Configure the Identity service with SSL
=======================================
You can configure the Identity service to support two-way SSL.
You must obtain the x509 certificates externally and configure them.
The Identity service provides a set of sample certificates in the
:file:`examples/pki/certs` and :file:`examples/pki/private` directories:
cacert.pem
Certificate Authority chain to validate against.
ssl\_cert.pem
Public certificate for Identity service server.
middleware.pem
Public and private certificate for Identity service
middleware/client.
cakey.pem
Private key for the CA.
ssl\_key.pem
Private key for the Identity service server.
.. note::
You can choose names for these certificates. You can also combine
public/private keys in the same file, if you wish. These certificates are
provided as an example.
Client authentication with keystone-all
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When running ``keystone-all``, the server can be configured to enable SSL
with client authentication using the following instructions. Modify the
``[eventlet_server_ssl]`` section in the :file:`/etc/keystone/keystone.conf`
file. The following SSL configuration example uses the included sample
certificates:
.. code-block:: ini
:linenos:
[eventlet_server_ssl]
enable = True
certfile = <path to keystone.pem>
keyfile = <path to keystonekey.pem>
ca_certs = <path to ca.pem>
cert_required = True
**Options**
- ``enable``
True enables SSL. Default is False.
- ``certfile``
Path to the Identity service public certificate file.
- ``keyfile``
Path to the Identity service private certificate file.
If you include the private key in the certfile, you can omit the
keyfile.
- ``ca_certs``
Path to the CA trust chain.
- ``cert_required``
Requires client certificate. Default is False.
When running the Identity service as a WSGI service in a web server such
as Apache httpd, this configuration is done in the web server instead.
In this case the options in the ``[eventlet_server_ssl]`` section are
ignored.
View Git Blame Copy Permalink