Category Archives: SSL

SSL CA in devstack

I’ve  been trying to configure devstack to install SSL-enabled endpoints. This is generally straightforward but hampered by a several bugs related to server to server communication (e.g. nova to glance) where the are no options to specify the location of the issuing CA.

One workaround I’m looking at is rather than passing the CA around as a path everywhere is to add it to the system CA bundle and let the client libraries handle things. This is less-than-ideal but seems to work. I’m a Fedora guy so I use the new CA trust commands:

# cp /path/to/cacert.pem /etc/pki/ca-trust/source/anchors

OR

# cp /path/to/cacert.pem /usr/share/pki/ca-trust-source
# update-ca-trust extract
The difference between the directories is low or high priority to the CA trust tool. I’m honestly not entirely sure what that means, but the low priority version works for me.
Strangely I still need to specify the CA for some things. I haven’t yet figured that one out yet, but doing this I was able to get a vanilla OpenStack install via devstack with nova, keystone, glance and cinder secured with SSL.
The Fedora feature is documented at http://fedoraproject.org/wiki/Features/SharedSystemCertificates

Configure Keystone to use SSL in OpenStack

It is possible to convert an existing OpenStack installation to use SSL for Keystone and other services. I’ll tackle those later.

BEWARE: No Keystone == No OpenStack, so tread carefully as you can easily hose your installation.

In my case I installed OpenStack Havana using RDO on RHEL 6.5 I used packstack. I suspect that the configuration is largely similar to other versions as well:

# packstack --gen-answers-file=/root/answers.txt

In my case I modified answers.txt and set CONFIG_NEUTRON_INSTALL to n. I keep things rather simple in my environment.

Next i installed OpenStack using packstack:

# packstack --answer-file=/root/answers.txt

Go grab a cup of coffee, it takes a while to download and configure all the necessary bits.

Assuming you are following along at home, at this point I’d take the time to confirm that things are indeed working by launching a nova instance.

You need to start by figuring out which interface you are going to talk over. One was picked for you by packstack, that is probably the right one. I’m configuring a private cloud so I’m going to use the same name everywhere. If you are going to contact this over multiple interfaces you’ll need to look into getting a certificate with a Subject Alt Name, or taking the lazy way out and getting a wildcard cert.

In my case I’m doing a simple private cloud so I’m going to use the system FQDN, in my case set2client1.example.com. I use vftool to simplify setting up hosts for testing.

So first you need to ensure that the system hostname is the FQDN:

# hostname set2client1.example.com

Now get a certificate for this hostname from your favorite source. I enrolled the machine into my IPA infrastructure and used ipa-getcert. In my case I put the result into /etc/pki/tls/certs/keystone.crt and /etc/pki/tls/private/keystone.key respectively. Be sure to set the ownership to keystone:

# chown keystone /etc/pki/tls/certs/keystone.crt
# chown keystone /etc/pki/tls/private/keystone.key

Now we’re ready to begin securing things. This is the tricky part. We need to create a new endpoint for SSL, delete the old one, then restart and things should work (see BEWARE above).

First we find the current keystone endpoint:

# keystone endpoint-list|grep 5000

Next we create a new one, using our FQDN:

# keystone endpoint-create --publicurl https://set2client1.example.com:5000/v2.0 --internalurl https://set2client1.example.com:5000/v2.0 --adminurl https://set2client1.example.com:35357/v2.0 --service keystone

Delete the original endpoint:

# keystone endpoint-delete <endpoint-id>

Edit /etc/keystone/keystone.conf to add the SSL options. It should look like this:

[ssl]
enable = True
certfile = /etc/pki/tls/certs/keystone.crt
keyfile = /etc/pki/tls/private/keystone.key

Now restart the keystone service

# service openstack-keystone restart

Fix up the environment to match our new configuration:

# export export OS_AUTH_URL=https://set2client1.example.com:35357/v2.0/
# export OS_CACERT=/path/to/ca.crt

And finally, test to be sure basic things work:

# keystone endpoint-list

Assuming that was successful we can move onto the other services. You can restart these individually afterwards but I just use openstack-service restart to restart the entire world after configuring all of the services.

Edit /etc/nova/nova.conf, it should look something like this:

[keystone_authtoken]
auth_protocol = https
auth_port = 35357
auth_host = set2client1.example.com
auth_uri = https://set2client1.example.com:5000/v2.0
cafile = /path/to/ca.crt

Edit /etc/glance/glance-api.conf to look like:

[keystone_authtoken]
auth_protocol = https
auth_port = 35357
auth_host = set2client1.example.com
auth_uri = https://set2client1.example.com:5000/v2.0
cafile = /path/to/ca.crt

Edit /etc/glance/glance-registry.conf to look like:

[keystone_authtoken]
auth_host=set2client1.example.com
auth_port=35357
auth_protocol=https
auth_uri=https://set2client1.example.com:5000/v2.0
cafile = /etc/ipa/ca.crt

Edit /etc/cinder/cinder.conf to look like:

[keystone_authtoken]
auth_host=set2client1.example.com
service_port=5000
auth_uri=https://set2client1.example.com:5000/v2.0
auth_port=35357
service_host=set2client1.example.com
service_protocol=https
auth_protocol=https
cafile=/etc/ipa/ca.crt

Edit /etc/cinder/api-paste.ini to look like:

[filter:authtoken]
auth_host=set2client1.example.com
service_port=5000
auth_uri=https://set2client1.example.com:5000/v2.0
auth_port=35357
service_host=set2client1.example.com
service_protocol=https
auth_protocol=https
cafile=/etc/ipa/ca.crt

Edit /etc/neutron/neutron.conf to look like this, but note that I installed without Neutron networking in my case so this is quite untested, but it follows the pattern:

[keystone_authtoken]
auth_host = set2client1.example.com
auth_port = 35357
auth_protocol = https
auth_uri=https://set2client1.example.com:5000/v2.0
cafile=/etc/ipa/ca.crt

Edit /etc/neutron/api-paste.ini

[filter:authtoken]
auth_port=35357
auth_protocol=https
auth_uri=https://set2client1.example.com:5000/v2.0
auth_host=set2client1.example.com
cafile=/etc/ipa/ca.crt

Edit /etc/neutron/metadata_agent.ini

[DEFAULT]
auth_url = https://set2client1.example.com:35357/v2.0

Similarly I didn’t have anything stored in swift, but this should be correct.  Edit /etc/swift/proxy-server.conf

[filter:authtoken]
auth_host = set2client1.example.com
auth_port = 35357
auth_protocol = https
auth_uri = https://set2client1.example.com:5000/v2.0
cafile = /etc/ipa/ca.crt

And finally edit /etc/ceilometer/ceilometer.conf:

[service_credentials]
auth_host=set2client1.example.com
auth_port = 35357
auth_protocol=https
auth_uri=https://set2client1.example.com:5000/v2.0
cafile=/etc/ipa/ca.crt

Now restart the world and test things out:

# openstack-service restart
# openstack-status

In case you are unfamiliar with it, openstack-status will show the status of the current running services and do a whole lot of connection testing for you.

That’s basically it. I fired off a new nova instance to afterward to triple check as that exercises all sorts of services.

Finally, reconfigure Horizon to use the secure Keystone endpoint

Edit /etc/openstack-dashboard/local_settings:

OPENSTACK_HOST = "set2client1.example.com"
OPENSTACK_KEYSTONE_URL = "https://%s:5000/v2.0" % OPENSTACK_HOST

Restart Apache

# service httpd restart