openstack-manuals/doc/common/section_keystone-ssl-config.xml
Christian Berendt b2235bf3fb Unified the syntax of the XML root element (common)
Execluded all XML files in the directory doc/common/tables because
they are autogenerated.

The XML root element of Docbook XML files should match the following
format:

<ELEMENT xmlns="http://docbook.org/ns/docbook"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="THE_XML_ID_OF_THE_ELEMENT">

Change-Id: If12091be81ec8b2e6e53bfcb4c3a883a65e24736
2014-07-09 22:23:03 +02:00

101 lines
3.8 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-ssl-config">
<?dbhtml stop-chunking?>
<title>Configure the Identity Service with SSL</title>
<para>You can configure the Identity Service to support two-way
SSL.</para>
<para>You must obtain the x509 certificates externally and
configure them.</para>
<para>The Identity Service provides a set of sample certificates
in the <filename class="directory"
>examples/pki/certs</filename> and <filename
class="directory">examples/pki/private</filename>
directories:</para>
<variablelist>
<title>Certificate types</title>
<varlistentry>
<term>cacert.pem </term>
<listitem>
<para>Certificate Authority chain to validate
against.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ssl_cert.pem </term>
<listitem>
<para>Public certificate for Identity Service
server.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>middleware.pem </term>
<listitem>
<para>Public and private certificate for Identity
Service middleware/client.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>cakey.pem </term>
<listitem>
<para>Private key for the CA.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ssl_key.pem </term>
<listitem>
<para>Private key for the Identity Service
server.</para>
</listitem>
</varlistentry>
</variablelist>
<note>
<para>You can choose names for these certificates. You can
also combine the public/private keys in the same file, if
you wish. These certificates are provided as an
example.</para>
</note>
<section xml:id="ssl-configuration">
<title>SSL configuration</title>
<para>To enable SSL with client authentication, modify the
<literal>[ssl]</literal> section in the
<filename>etc/keystone.conf</filename> file. The
following SSL configuration example uses the included
sample certificates:</para>
<programlisting language="ini">[ssl]
enable = True
certfile = &lt;path to keystone.pem&gt;
keyfile = &lt;path to keystonekey.pem&gt;
ca_certs = &lt;path to ca.pem&gt;
cert_required = True</programlisting>
<itemizedlist>
<title>Options</title>
<listitem>
<para><literal>enable</literal>. True enables SSL.
Default is False.</para>
</listitem>
<listitem>
<para><literal>certfile</literal>. Path to the
Identity Service public certificate file.</para>
</listitem>
<listitem>
<para><literal>keyfile</literal>. Path to the Identity
Service private certificate file. If you include
the private key in the certfile, you can omit the
keyfile.</para>
</listitem>
<listitem>
<para><literal>ca_certs</literal>. Path to the CA
trust chain.</para>
</listitem>
<listitem>
<para><literal>cert_required</literal>. Requires
client certificate. Default is False.</para>
</listitem>
</itemizedlist>
</section>
</section>