默笙♥ 2019-05-03 08:35 采纳率: 0%
浏览 1181

Openstack完成Keystone证书加密的HTTPS服务提升?

Openstack完成Keystone证书加密的HTTPS服务提升?
在网上找到相关问题,但是尝试了一直没解决,求大神们帮忙

  • 写回答

1条回答 默认 最新

  • 「已注销」 2019-05-21 18:17
    关注

    keystone ssl

    1、安装 mod_ssl 模块

    yum install -y mod_ssl

    2、使用 keystone-manage ssl_setup 生成证书

    keystone-manage ssl_setup直接生成证书域名默认为localhost

    3、生成证书(使用keystone内置命令生成的证书也是调用了openssl命令生成证书)

    [root@controller ~]# keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone

    (keystone日志如下 commonName 为 localhost)

    [root@controller ~]# tailf /var/log/keystone/keystone.log
    2014-01-02 00:12:50.593 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/cakey.pem 1024
    2014-01-02 00:12:50.631 22821 INFO keystone.common.openssl [-] Running command - openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
    2014-01-02 00:12:50.643 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/keystonekey.pem 1024
    2014-01-02 00:12:50.667 22821 INFO keystone.common.openssl [-] Running command - openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
    2014-01-02 00:12:50.676 22821 INFO keystone.common.openssl [-] Running command - openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
    

    (若要修改域名为controller需要更新证书,修改信息可以在/etc/keystone/ssl/certs/index.txt查看)

    openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller
    openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller
    openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
    

    4、修改所属组、主

    chown -R keystone:keystone /etc/keystone/ssl/

    5、配置 keystone

    shell
    openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl enable True openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl certfile /etc/keystone/ssl/certs/keystone.pem
    openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl keyfile /etc/keystone/ssl/private/keystonekey.pem
    openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl ca_certs /etc/keystone/ssl/certs/ca.pem

    6、修改 wsgi

    [root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
    ......
    <VirtualHost *:5000>
    ......
    SSLEngine on
    SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem 
    SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem 
    SSLCACertificateFile /etc/keystone/ssl/certs/ca.pem 
    SSLUserName SSL_CLIENT_S_DN_CN
    SSLVerifyClient none
    SSLVerifyDepth 10
    ...... </VirtualHost> ......
    
    

    7、删除原http端点并创建https端点(域名要和countryName 相同)

    export OS_URL=http://controller:35357/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_TOKEN=690724e95b2f8061f6d8
    openstack service delete keystone
    openstack service create --name keystone --description "OpenStack Identity" identity
    openstack endpoint create --region RegionOne identity public https://localhost:5000/v3
    openstack endpoint create --region RegionOne identity internal https://localhost:5000/v3
    openstack endpoint create --region RegionOne identity admin https://localhost:35357/v3
    

    8、配置环境变量

     [root@controller ~]# cat > /etc/keystone/admin-openrc.sh <<EOF
     export OS_PROJECT_DOMAIN_NAME=demo
     export OS_USER_DOMAIN_NAME=demo
     export OS_PROJECT_NAME=admin
     export OS_USERNAME=admin
     export OS_PASSWORD=000000
     export OS_AUTH_URL=https://localhost:35357/v3
     export OS_IDENTITY_API_VERSION=3
     export OS_IMAGE_API_VERSION=2
     export OS_CACERT=/etc/keystone/ssl/certs/ca.pem
     EOF
    

    9、重启 httpd 服务

    systemctl restart httpd memcached

    10、测试

     [root@controller ~]# source /etc/keystone/admin-openrc.sh
     [root@controller ~]# openstack endpoint list --service keystone
     +----------------------------------+-----------+--------------+------------
    
     | 52e1e41c4f774dd1b9dfe9e87d11868a | RegionOne | keystone | identity | True
     | admin | https://localhost:35357/v3 |
     | 70a0f69a57784d708f69c0d466da0899 | RegionOne | keystone | identity | True
     | internal | https://localhost:5000/v3 |
     | af90d9434d4e453c8e771aa7908505c7 | RegionOne | keystone | identity | True
     | public | https://localhost:5000/v3 |
     +----------------------------------+-----------+--------------+------------
    

    其他更详细信息联系我

    官网

    https://docs.openstack.org/mitaka/admin-guide/keystone_certificates_for_pki.html

    评论

报告相同问题?

悬赏问题

  • ¥20 iqoo11 如何下载安装工程模式
  • ¥15 flask项目,怎么使用AJAX传数据库数据到echarts图表的data里,实现异步加载数据。
  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题