默笙♥ 2019-05-03 08:35 采纳率: 0%
浏览 1181

Openstack完成Keystone证书加密的HTTPS服务提升?

Openstack完成Keystone证书加密的HTTPS服务提升?
在网上找到相关问题,但是尝试了一直没解决,求大神们帮忙

  • 写回答

1条回答 默认 最新

  • 「已注销」 2019-05-21 18:17
    关注

    keystone ssl

    1、安装 mod_ssl 模块

    yum install -y mod_ssl

    2、使用 keystone-manage ssl_setup 生成证书

    keystone-manage ssl_setup直接生成证书域名默认为localhost

    3、生成证书(使用keystone内置命令生成的证书也是调用了openssl命令生成证书)

    [root@controller ~]# keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone

    (keystone日志如下 commonName 为 localhost)

    [root@controller ~]# tailf /var/log/keystone/keystone.log
2014-01-02 00:12:50.593 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/cakey.pem 1024
2014-01-02 00:12:50.631 22821 INFO keystone.common.openssl [-] Running command - openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
2014-01-02 00:12:50.643 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/keystonekey.pem 1024
2014-01-02 00:12:50.667 22821 INFO keystone.common.openssl [-] Running command - openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
2014-01-02 00:12:50.676 22821 INFO keystone.common.openssl [-] Running command - openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem

    (若要修改域名为controller需要更新证书,修改信息可以在/etc/keystone/ssl/certs/index.txt查看)

    openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller
openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller
openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem

    4、修改所属组、主

    chown -R keystone:keystone /etc/keystone/ssl/

    5、配置 keystone

    shell
    openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl enable True openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl certfile /etc/keystone/ssl/certs/keystone.pem
    openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl keyfile /etc/keystone/ssl/private/keystonekey.pem
    openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl ca_certs /etc/keystone/ssl/certs/ca.pem

    6、修改 wsgi

    [root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
......
<VirtualHost *:5000>
......
SSLEngine on
SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem 
SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem 
SSLCACertificateFile /etc/keystone/ssl/certs/ca.pem 
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient none
SSLVerifyDepth 10
...... </VirtualHost> ......

    7、删除原http端点并创建https端点(域名要和countryName 相同)

    export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_TOKEN=690724e95b2f8061f6d8
openstack service delete keystone
openstack service create --name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne identity public https://localhost:5000/v3
openstack endpoint create --region RegionOne identity internal https://localhost:5000/v3
openstack endpoint create --region RegionOne identity admin https://localhost:35357/v3

    8、配置环境变量

     [root@controller ~]# cat > /etc/keystone/admin-openrc.sh <<EOF
 export OS_PROJECT_DOMAIN_NAME=demo
 export OS_USER_DOMAIN_NAME=demo
 export OS_PROJECT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=000000
 export OS_AUTH_URL=https://localhost:35357/v3
 export OS_IDENTITY_API_VERSION=3
 export OS_IMAGE_API_VERSION=2
 export OS_CACERT=/etc/keystone/ssl/certs/ca.pem
 EOF

    9、重启 httpd 服务

    systemctl restart httpd memcached

    10、测试

     [root@controller ~]# source /etc/keystone/admin-openrc.sh
 [root@controller ~]# openstack endpoint list --service keystone
 +----------------------------------+-----------+--------------+------------

 | 52e1e41c4f774dd1b9dfe9e87d11868a | RegionOne | keystone | identity | True
 | admin | https://localhost:35357/v3 |
 | 70a0f69a57784d708f69c0d466da0899 | RegionOne | keystone | identity | True
 | internal | https://localhost:5000/v3 |
 | af90d9434d4e453c8e771aa7908505c7 | RegionOne | keystone | identity | True
 | public | https://localhost:5000/v3 |
 +----------------------------------+-----------+--------------+------------

    其他更详细信息联系我

    官网

    https://docs.openstack.org/mitaka/admin-guide/keystone_certificates_for_pki.html

    评论

报告相同问题?

悬赏问题

  • ¥15 微信小游戏反编译后,出现找不到分包的情况
  • ¥15 如何实现从tello无人机上获取实时传输的视频流,然后将获取的视频通过yolov5进行检测
  • ¥15 WPF使用Canvas绘制矢量图问题
  • ¥15 用三极管设计一个单管共射放大电路
  • ¥15 孟德尔随机化r语言运行问题
  • ¥15 pyinstaller编译的时候出现No module named 'imp'
  • ¥15 nirs_kit中打码怎么看(打码文件是csv格式)
  • ¥15 怎么把多于硬盘空间放到根目录下
  • ¥15 Matlab问题解答有两个问题
  • ¥15 LCD12864中文显示