bc7a9f0da7
Partial-Bug: #1250515 backport: havana Change-Id: I9675dffd130c8aa6343143d9806adb4e0b74a55d author: diane fleming
99 lines
3.7 KiB
XML
99 lines
3.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="keystone-ssl-config">
|
|
<title>Configure the Identity Service with SSL</title>
|
|
<para>You can configure the Identity Service to support two-way
|
|
SSL.</para>
|
|
<para>You must obtain the x509 certificates externally and
|
|
configure them.</para>
|
|
<para>The Identity Service provides a set of sample certificates
|
|
in the <filename class="directory"
|
|
>examples/pki/certs</filename> and <filename
|
|
class="directory">examples/pki/private</filename>
|
|
directories:</para>
|
|
<variablelist>
|
|
<title>Certificate types</title>
|
|
<varlistentry>
|
|
<term>cacert.pem </term>
|
|
<listitem>
|
|
<para>Certificate Authority chain to validate
|
|
against.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>ssl_cert.pem </term>
|
|
<listitem>
|
|
<para>Public certificate for Identity Service
|
|
server.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>middleware.pem </term>
|
|
<listitem>
|
|
<para>Public and private certificate for Identity
|
|
Service middleware/client.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>cakey.pem </term>
|
|
<listitem>
|
|
<para>Private key for the CA.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>ssl_key.pem </term>
|
|
<listitem>
|
|
<para>Private key for the Identity Service
|
|
server.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<note>
|
|
<para>You can choose names for these certificates. You can
|
|
also combine the public/private keys in the same file, if
|
|
you wish. These certificates are provided as an
|
|
example.</para>
|
|
</note>
|
|
<section xml:id="ssl-configuration">
|
|
<title>SSL configuration</title>
|
|
<para>To enable SSL with client authentication, modify the
|
|
<literal>[ssl]</literal> section in the
|
|
<filename>etc/keystone.conf</filename> file. The
|
|
following SSL configuration example uses the included
|
|
sample certificates:</para>
|
|
<programlisting language="ini">[ssl]
|
|
enable = True
|
|
certfile = <path to keystone.pem>
|
|
keyfile = <path to keystonekey.pem>
|
|
ca_certs = <path to ca.pem>
|
|
cert_required = True</programlisting>
|
|
<itemizedlist>
|
|
<title>Options</title>
|
|
<listitem>
|
|
<para><literal>enable</literal>. True enables SSL.
|
|
Default is False.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>certfile</literal>. Path to the
|
|
Identity Service public certificate file.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>keyfile</literal>. Path to the Identity
|
|
Service private certificate file. If you include
|
|
the private key in the certfile, you can omit the
|
|
keyfile.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>ca_certs</literal>. Path to the CA
|
|
trust chain.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><literal>cert_required</literal>. Requires
|
|
client certificate. Default is False.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|