cd1cf9f20a
The keystone client authentication options have moved to the [eventlet_server_ssl] section because they only apply when keystone-all is used rather than the WSGI service. Using keystone-all is deprecated. Change-Id: I07f87dff504fc580e6a4aed587ebec312607f5a0
107 lines
4.2 KiB
XML
107 lines
4.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="keystone-ssl-config">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Configure the Identity Service with SSL</title>
|
|
<para>You can configure the Identity Service to support two-way
|
|
SSL.</para>
|
|
<para>You must obtain the x509 certificates externally and
|
|
configure them.</para>
|
|
<para>The Identity Service provides a set of sample certificates
|
|
in the <filename class="directory"
|
|
>examples/pki/certs</filename> and <filename
|
|
class="directory">examples/pki/private</filename>
|
|
directories:</para>
|
|
<variablelist>
|
|
<title>Certificate types</title>
|
|
<varlistentry>
|
|
<term>cacert.pem </term>
|
|
<listitem>
|
|
<para>Certificate Authority chain to validate
|
|
against.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>ssl_cert.pem </term>
|
|
<listitem>
|
|
<para>Public certificate for Identity Service
|
|
server.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>middleware.pem </term>
|
|
<listitem>
|
|
<para>Public and private certificate for Identity
|
|
Service middleware/client.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>cakey.pem </term>
|
|
<listitem>
|
|
<para>Private key for the CA.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>ssl_key.pem </term>
|
|
<listitem>
|
|
<para>Private key for the Identity Service
|
|
server.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<note>
|
|
<para>You can choose names for these certificates. You can
|
|
also combine the public/private keys in the same file, if
|
|
you wish. These certificates are provided as an
|
|
example.</para>
|
|
</note>
|
|
<section xml:id="ssl-configuration">
|
|
<title>Client authentication with keystone-all</title>
|
|
<para>When running keystone-all, the server can be configured to
|
|
enable SSL with client authentication using the following
|
|
instructions. Modify the
|
|
<literal>[eventlet_server_ssl]</literal> section in the
|
|
<filename>etc/keystone.conf</filename> file. The
|
|
following SSL configuration example uses the included
|
|
sample certificates:</para>
|
|
<programlisting language="ini">[eventlet_server_ssl]
|
|
enable = True
|
|
certfile = <path to keystone.pem>
|
|
keyfile = <path to keystonekey.pem>
|
|
ca_certs = <path to ca.pem>
|
|
cert_required = True</programlisting>
|
|
<itemizedlist>
|
|
<title>Options</title>
|
|
<listitem>
|
|
<para><literal>enable</literal>. True enables SSL.
|
|
Default is False.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>certfile</literal>. Path to the
|
|
Identity Service public certificate file.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>keyfile</literal>. Path to the Identity
|
|
Service private certificate file. If you include
|
|
the private key in the certfile, you can omit the
|
|
keyfile.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>ca_certs</literal>. Path to the CA
|
|
trust chain.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>cert_required</literal>. Requires
|
|
client certificate. Default is False.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>When running the Identity Service as a WSGI service in a web
|
|
server such as Apache httpd, this configuration is done in the web
|
|
server instead. In this case the options in the
|
|
<literal>[eventlet_server_ssl]</literal> section are ignored.</para>
|
|
</section>
|
|
</section>
|