Atom feed of this document
  
 

 Configure the Identity Service with SSL

You can configure the Identity Service to support two-way SSL.

You must obtain the x509 certificates externally and configure them.

The Identity Service provides a set of sample certificates in the examples/pki/certs and examples/pki/private directories:

Certificate types

cacert.pem

Certificate Authority chain to validate against.

ssl_cert.pem

Public certificate for Identity Service server.

middleware.pem

Public and private certificate for Identity Service middleware/client.

cakey.pem

Private key for the CA.

ssl_key.pem

Private key for the Identity Service server.

[Note]Note

You can choose names for these certificates. You can also combine the public/private keys in the same file, if you wish. These certificates are provided as an example.

 SSL configuration

To enable SSL with client authentication, modify the [ssl] section in the etc/keystone.conf file. The following SSL configuration example uses the included sample certificates:

[ssl]
enable = True
certfile = <path to keystone.pem>
keyfile = <path to keystonekey.pem>
ca_certs = <path to ca.pem>
cert_required = True

Options

  • enable. True enables SSL. Default is False.

  • certfile. Path to the Identity Service public certificate file.

  • keyfile. Path to the Identity Service private certificate file. If you include the private key in the certfile, you can omit the keyfile.

  • ca_certs. Path to the CA trust chain.

  • cert_required. Requires client certificate. Default is False.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...