1.Generating Self-Signed Certificates 

  • Enable ssl by typing this command sudo a2enmod ssl 
  • Enabling ssl requires the apache2 service should be restarted, so restart apache by using this command service apache2 restart 
  • Create a directory for the Self-Signed certificate by using sudo mkdir /etc/ssl 
  • Generate Self-Signed Certificate by using the below command 
    sudo openssl req -x509 -nodes -days 365 –newkey rsa:2048 –keyout  /etc/ssl/client.key -out /etc/ssl/client.crt

             The above command generates client.key file and client.crt file  

  • Convert the generated files into pem format by using follwing commands  

             cat client.key > /etc/ssl/client-key.pem 

             cat client.crt > /etc/ssl/client-cert.pem 

  • Combine the client-key.pem and client-cert.pem by using this command cat client-key.pem client-cert.pem > client.pem                                                      
  • The client-key.pem is the keyfile and the client.pem is the certificate file for Self- signed certificate 
     

2.Configuring SSL in /etc/apache2/sites-available/defaultssl.conf 

3.Configuring Self-Signed Certificate for Keystone API Service endpoints 

  •  In /etc/apache2/sites-available/ location keystone.conf will be available,this file is used to configure Self-Signed Certificate for this endpoint. 
  •  Add the client.pem and client-key.pem in  <VirtualHost *:5000> and <VirtualHost *:35357> 

   Public endpoint:5000 

Admin endpoint:35357 

  • Now the Self-Signed Certificate configuration for keystone service API endpoints in done. 
  • After this, change the keystone endpoint url from http to https in admin-openrc and demo-openrc files and make the change in endpoints urls from http to https in Database or recreate the endpoints with https url and populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart the apache2 service. 
  • Check this service by issuing this command openstack token issue insecure 

Note:  –insecure should be added with the commands for skip the verification of Self-Signed Certificate 

4.Configuring Self-Signed Certificate for Glance API Service endpoints 

  • Update /etc/glance/glance-api.conf 

[DEFAULT] 

cert_file = /etc/ssl/client.pem 

key_file = /etc/ssl/client-key.pem 

[keystone_authtoken] 

auth_uri = https://controller:5000 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

  • Update /etc/glance/glance-registry.conf 

[DEFAULT] 

cert_file = /etc/ssl/client.pem 

key_file = /etc/ssl/client-key.pem 

[keystone_authtoken] 

auth_uri = https://controller:5000 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

  • After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url or recreate endpoints.Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart glance-api and glance-registry Services. 
  • Check this configuration by issuing this command OpenStack image list –insecure, After issuing this command the glance images will be listed  

we will see about Configuring Self-signed SSL for Nova (Compute Service) and Neutron (Networking Service) in Next Post

Posts created 6

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top