Openstack完成Keystone证书加密的HTTPS服务提升?
在网上找到相关问题,但是尝试了一直没解决,求大神们帮忙
Openstack完成Keystone证书加密的HTTPS服务提升?
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
- 邀请回答
-
1条回答 默认 最新
- 「已注销」 2019-05-21 18:17关注
keystone ssl
1、安装 mod_ssl 模块
yum install -y mod_ssl
2、使用 keystone-manage ssl_setup 生成证书
keystone-manage ssl_setup
直接生成证书域名默认为localhost3、生成证书(使用keystone内置命令生成的证书也是调用了openssl命令生成证书)
[root@controller ~]# keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone
(keystone日志如下 commonName 为 localhost)
[root@controller ~]# tailf /var/log/keystone/keystone.log 2014-01-02 00:12:50.593 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/cakey.pem 1024 2014-01-02 00:12:50.631 22821 INFO keystone.common.openssl [-] Running command - openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost 2014-01-02 00:12:50.643 22821 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/keystonekey.pem 1024 2014-01-02 00:12:50.667 22821 INFO keystone.common.openssl [-] Running command - openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost 2014-01-02 00:12:50.676 22821 INFO keystone.common.openssl [-] Running command - openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
(若要修改域名为controller需要更新证书,修改信息可以在/etc/keystone/ssl/certs/index.txt查看)
openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem - out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/CN=controller openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem - keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
4、修改所属组、主
chown -R keystone:keystone /etc/keystone/ssl/
5、配置 keystone
shell
openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl enable True openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl certfile /etc/keystone/ssl/certs/keystone.pem
openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl keyfile /etc/keystone/ssl/private/keystonekey.pem
openstack-config --set /etc/keystone/keystone.conf eventlet_server_ssl ca_certs /etc/keystone/ssl/certs/ca.pem6、修改 wsgi
[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf ...... <VirtualHost *:5000> ...... SSLEngine on SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem SSLCACertificateFile /etc/keystone/ssl/certs/ca.pem SSLUserName SSL_CLIENT_S_DN_CN SSLVerifyClient none SSLVerifyDepth 10 ...... </VirtualHost> ......
7、删除原http端点并创建https端点(域名要和countryName 相同)
export OS_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_TOKEN=690724e95b2f8061f6d8 openstack service delete keystone openstack service create --name keystone --description "OpenStack Identity" identity openstack endpoint create --region RegionOne identity public https://localhost:5000/v3 openstack endpoint create --region RegionOne identity internal https://localhost:5000/v3 openstack endpoint create --region RegionOne identity admin https://localhost:35357/v3
8、配置环境变量
[root@controller ~]# cat > /etc/keystone/admin-openrc.sh <<EOF export OS_PROJECT_DOMAIN_NAME=demo export OS_USER_DOMAIN_NAME=demo export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=000000 export OS_AUTH_URL=https://localhost:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export OS_CACERT=/etc/keystone/ssl/certs/ca.pem EOF
9、重启 httpd 服务
systemctl restart httpd memcached
10、测试
[root@controller ~]# source /etc/keystone/admin-openrc.sh [root@controller ~]# openstack endpoint list --service keystone +----------------------------------+-----------+--------------+------------ | 52e1e41c4f774dd1b9dfe9e87d11868a | RegionOne | keystone | identity | True | admin | https://localhost:35357/v3 | | 70a0f69a57784d708f69c0d466da0899 | RegionOne | keystone | identity | True | internal | https://localhost:5000/v3 | | af90d9434d4e453c8e771aa7908505c7 | RegionOne | keystone | identity | True | public | https://localhost:5000/v3 | +----------------------------------+-----------+--------------+------------
其他更详细信息联系我
官网
https://docs.openstack.org/mitaka/admin-guide/keystone_certificates_for_pki.html
解决 无用评论 打赏 举报
悬赏问题
- ¥20 iqoo11 如何下载安装工程模式
- ¥15 flask项目,怎么使用AJAX传数据库数据到echarts图表的data里,实现异步加载数据。
- ¥15 本题的答案是不是有问题
- ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
- ¥15 C++使用Gunplot
- ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
- ¥15 matlab数字图像处理频率域滤波
- ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
- ¥15 ELGamal和paillier计算效率谁快?
- ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题