Setting up Secure Sockets Layer (SSL) access provides secure access between the client and our OpenStack Object Storage environment in exactly the same way SSL provides secure access to any other web service. To do this, we configure our proxy server with SSL certificates.
Ensure that you are logged in to the swift-proxy
node and have the packages installed and configured for running Swift. If you created this node with vagrant
, you can execute the following command:
vagrant ssh swift-proxy
Configuration of OpenStack Object Storage to secure communication between the client and the proxy server is done as follows:
cd /etc/swift sudo openssl req -new -x509 -nodes -out cert.crt -keyout cert.key
/etc/swift/proxy-server.conf
file, as shown here:bind_port = 443 cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key
swift-init
command to pick up the change:sudo swift-init proxy-server restart
export ENDPOINT=192.168.100.200 export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=https://${ENDPOINT}:35357/v2.0 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem
keystone endpoint-list
This will bring back output such as the following. The Swift endpoint has been highlighted and output truncated to fit the page.
keystone endpoint-delete bd46a06576a3489ba9f9a8a7eaa2b2bd
PUBLIC_URL="https://192.168.100.209:443/v1/AUTH_$(tenant_id)s" ADMIN_URL="https://172.16.0.209:443/v1" INTERNAL_URL=="https://172.16.0.209:443/v1/AUTH_$(tenant_id)s" keystone endpoint-create --region RegionOne --service_id $SWIFT_SERVICE_ID --publicurl $PUBLIC_URL --adminurl $ADMIN_URL --internalurl $INTERNAL_URL
Configuring OpenStack Object Storage to use SSL involves configuring the proxy server to use SSL. We first configure a self-signed certificate using the openssl
command, which asks for various fields to be filled in. An important field is the Common Name field. Put in the Fully Qualified Domain Name (FQDN) hostname or IP address that you would use to connect to the Swift server.
Once that has been done, we specify the port that we want our proxy server to listen on. As we are configuring an SSL HTTPS connection, we will use the standard TCP port 443 that HTTPS defaults to. We also specify the certificate and key that we created in the first step so that when a request is made, this information is presented to the end user to allow secure data transfer. With this in place, we restart our proxy server to listen on port 443.
Finally, we modify the entry in Keystone to reflect this change. To do this, we identify the endpoint ID of the Swift service by first list the endpoints. After this, we delete this endpoint with the keystone endpoint-delete $ENDPOINT_ID
command and add in the correct ones, we ensure that we specify https
and port 443
.
With this in place, we can carry on using Swift as usual and the end user won't need to modify anything to take advantage of this change.