openstack-manuals/doc/common/section_keystone-ssl-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<section
    xmlns="http://docbook.org/ns/docbook"
    xmlns:xi="http://www.w3.org/2001/XInclude"
    xmlns:xlink="http://www.w3.org/1999/xlink"
    version="5.0"
    xml:id="keystone-ssl-config">
        <title>Configure the Identity Service with SSL</title>
        <para>You can configure the Identity Service to support 2-way
        SSL.</para>
    <para>You must obtain the x509 certificates externally and
        configure them.</para>
    <para>The Identity Service provides a set of sample certificates
        in the <filename class="directory"
            >examples/pki/certs</filename> and <filename
            class="directory">examples/pki/private</filename>
        directories:</para>
            <variablelist><title>Certificate types</title>
                <varlistentry>
                    <term>cacert.pem
                    </term>
                    <listitem>
                        <para>Certificate Authority chain to validate against.</para>
                    </listitem>
                </varlistentry>
                <varlistentry>
                    <term>ssl_cert.pem
                    </term>
                    <listitem>
                        <para>Public certificate for Identity Service
                        server.</para>
                    </listitem>
                </varlistentry>
                <varlistentry>
                    <term>middleware.pem
                    </term>
                    <listitem>
                        <para>Public and private certificate for
                        Identity Service middleware/client.</para>
                    </listitem>
                </varlistentry>
                <varlistentry>
                    <term>cakey.pem
                    </term>
                    <listitem>
                        <para>Private key for the CA.</para>
                    </listitem>
                </varlistentry>
                <varlistentry>
                    <term>ssl_key.pem
                    </term>
                    <listitem>
                        <para>Private key for the Identity Service
                        server.</para>
                    </listitem>
                </varlistentry>
            </variablelist>
           <note><para>You can choose names for
        these certificates. You can also combine the public/private keys in the
        same file, if you wish. These certificates are provided as
        an example.</para></note>
    <section xml:id="ssl-configuration">
        <title>SSL configuration</title>
        <para>To enable SSL with client authentication, modify the
                <literal>[ssl]</literal> section in the
                <filename>etc/keystone.conf</filename> file. The
            following SSL configuration example uses the included
            sample certificates:</para>
            <programlisting language="ini">[ssl]
enable = True
certfile = &lt;path to keystone.pem&gt;
keyfile = &lt;path to keystonekey.pem&gt;
ca_certs = &lt;path to ca.pem&gt;
cert_required = True</programlisting>
        <itemizedlist><title>Options</title>
            <listitem>
                <para><literal>enable</literal>. True enables SSL.
                    Default is False.</para>
                </listitem>
                <listitem>
                    <para><literal>certfile</literal>. Path to the Identity
                    Service public certificate file.</para>
                </listitem>
                <listitem>
                    <para><literal>keyfile</literal>. Path to the
                    Identity Service private certificate file. If you
                    include the private key in the certfile, you can
                    omit the keyfile.</para>
                </listitem>
                <listitem>
                    <para><literal>ca_certs</literal>. Path to the CA trust chain.
                    </para>
                </listitem>
                <listitem>
                    <para><literal>cert_required</literal>. Requires
                    client certificate. Default is False.</para>
                </listitem>
            </itemizedlist>
        </section>
    </section>