openstack/openstack-manuals
Code Issues Proposed changes
2eac6c64b8
openstack-manuals/doc/common/section_keystone-ssl-config.xml
Diane Fleming 64b6c9261e Folder rename, file rename, flattening of directories 
Current folder name	New folder name	        Book title
----------------------------------------------------------
basic-install 	        DELETE
cli-guide	        DELETE
common	                common
NEW	                admin-guide-cloud	Cloud Administrators Guide
docbkx-example	        DELETE
openstack-block-storage-admin 	DELETE
openstack-compute-admin 	DELETE
openstack-config 	config-reference	OpenStack Configuration Reference
openstack-ha 	        high-availability-guide	OpenStack High Availabilty Guide
openstack-image	        image-guide	OpenStack Virtual Machine Image Guide
openstack-install 	install-guide	OpenStack Installation Guide
openstack-network-connectivity-admin 	admin-guide-network 	OpenStack Networking Administration Guide
openstack-object-storage-admin 	DELETE
openstack-security 	security-guide	OpenStack Security Guide
openstack-training 	training-guide	OpenStack Training Guide
openstack-user 	        user-guide	OpenStack End User Guide
openstack-user-admin 	user-guide-admin	OpenStack Admin User Guide
glossary	        NEW        	OpenStack Glossary

bug: #1220407

Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7
author: diane fleming
2013-09-08 15:15:50 -07:00

101 lines
4.1 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-ssl-config">
<title>Configure the Identity Service with SSL</title>
<para>You can configure the Identity Service to support 2-way
SSL.</para>
<para>You must obtain the x509 certificates externally and
configure them.</para>
<para>The Identity Service provides a set of sample certificates
in the <filename class="directory"
>examples/pki/certs</filename> and <filename
class="directory">examples/pki/private</filename>
directories:</para>
<variablelist><title>Certificate types</title>
<varlistentry>
<term>cacert.pem
</term>
<listitem>
<para>Certificate Authority chain to validate against.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ssl_cert.pem
</term>
<listitem>
<para>Public certificate for Identity Service
server.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>middleware.pem
</term>
<listitem>
<para>Public and private certificate for
Identity Service middleware/client.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>cakey.pem
</term>
<listitem>
<para>Private key for the CA.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ssl_key.pem
</term>
<listitem>
<para>Private key for the Identity Service
server.</para>
</listitem>
</varlistentry>
</variablelist>
<note><para>You can choose names for
these certificates. You can also combine the public/private keys in the
same file, if you wish. These certificates are provided as
an example.</para></note>
<section xml:id="ssl-configuration">
<title>SSL configuration</title>
<para>To enable SSL with client authentication, modify the
<literal>[ssl]</literal> section in the
<filename>etc/keystone.conf</filename> file. The
following SSL configuration example uses the included
sample certificates:</para>
<screen><computeroutput>[ssl]
enable = True
certfile = &lt;path to keystone.pem&gt;
keyfile = &lt;path to keystonekey.pem&gt;
ca_certs = &lt;path to ca.pem&gt;
cert_required = True</computeroutput></screen>
<itemizedlist><title>Options</title>
<listitem>
<para><literal>enable</literal>. True enables SSL.
Default is False.</para>
</listitem>
<listitem>
<para><literal>certfile</literal>. Path to the Identity
Service public certificate file.</para>
</listitem>
<listitem>
<para><literal>keyfile</literal>. Path to the
Identity Service private certificate file. If you
include the private key in the certfile, you can
omit the keyfile.</para>
</listitem>
<listitem>
<para><literal>ca_certs</literal>. Path to the CA trust chain.
</para>
</listitem>
<listitem>
<para><literal>cert_required</literal>. Requires
client certificate. Default is False.</para>
</listitem>
</itemizedlist>
</section>
</section>
View Git Blame Copy Permalink