Setting up SSL access
by Tony Campbell, Egle Sigler, Cody Bunch, Kevin Jackson, Sunil Sarat, Alok Shrivas
OpenStack: Building a Cloud Environment
- OpenStack: Building a Cloud Environment
- Table of Contents
- OpenStack: Building a Cloud Environment
- OpenStack: Building a Cloud Environment
- Credits
- Preface
- 1. Module 1
- 1. An Introduction to OpenStack
- 2. Authentication and Authorization Using Keystone
- Identity concepts in Keystone
- Architecture and subsystems
- Installing common components
- Installing Keystone
- Verifying the installation
- Troubleshooting the installation and configuration
- Summary
- 3. Storing and Retrieving Data and Images using Glance, Cinder, and Swift
- Introducing storage services
- Working with Glance
- Working with Cinder
- Working with Swift
- Troubleshooting steps
- Summary
- 4. Building Your Cloud Fabric Controller Using Nova
- 5. Technology-Agnostic Network Abstraction Using Neutron
- The software-defined network paradigm
- Neutron
- Installing Neutron
- Troubleshooting Neutron
- Summary
- 6. Building Your Portal in the Cloud
- 7. Your OpenStack Cloud in Action
- 8. Taking Your Cloud to the Next Level
- Working with Heat
- Ceilometer
- Installing Ceilometer
- Installing Ceilometer on the compute node
- Installing Ceilometer on the storage node
- Testing the installation
- Billing and usage reporting
- Summary
- 9. Looking Ahead
- A. New Releases
- 2. Module 2
- 1. Keystone – OpenStack Identity Service
- Introduction
- Installing the OpenStack Identity Service
- Configuring OpenStack Identity for SSL communication
- Creating tenants in Keystone
- Configuring roles in Keystone
- Adding users to Keystone
- Defining service endpoints
- Creating the service tenant and service users
- Configuring OpenStack Identity for LDAP Integration
- 2. Glance – OpenStack Image Service
- Introduction
- Installing OpenStack Image Service
- Configuring OpenStack Image Service with OpenStack Identity Service
- Configuring OpenStack Image Service with OpenStack Object Storage
- Managing images with OpenStack Image Service
- Registering a remotely stored image
- Sharing images among tenants
- Viewing shared images
- Using image metadata
- Migrating a VMware image
- Creating an OpenStack image
- 3. Neutron – OpenStack Networking
- Introduction
- Installing Neutron and Open vSwitch on a dedicated network node
- Configuring Neutron and Open vSwitch
- Installing and configuring the Neutron API service
- Creating a tenant Neutron network
- Deleting a Neutron network
- Creating an external floating IP Neutron network
- Using Neutron networks for different purposes
- Configuring Distributed Virtual Routers
- Using Distributed Virtual Routers
- 4. Nova – OpenStack Compute
- Introduction
- Installing OpenStack Compute controller services
- Installing OpenStack Compute packages
- Configuring database services
- Configuring OpenStack Compute
- Configuring OpenStack Compute with OpenStack Identity Service
- Stopping and starting nova services
- Installation of command-line tools on Ubuntu
- Using the command-line tools with HTTPS
- Checking OpenStack Compute services
- Using OpenStack Compute
- Managing security groups
- Creating and managing key pairs
- Launching our first cloud instance
- Fixing a broken instance deployment
- Terminating your instances
- Using live migration
- Working with nova-schedulers
- Creating flavors
- Defining host aggregates
- Launching instances in specific Availability Zones
- Launching instances on specific Compute hosts
- Removing Nova nodes from a cluster
- 5. Swift – OpenStack Object Storage
- Introduction
- Configuring Swift services and users in Keystone
- Installing OpenStack Object Storage services – proxy server
- Configuring OpenStack Object Storage – proxy server
- Installing OpenStack Object Storage services – storage nodes
- Configuring physical storage for use with Swift
- Configuring Object Storage replication
- Configuring OpenStack Object Storage – storage services
- Making the Object Storage rings
- Stopping and starting OpenStack Object Storage
- Setting up SSL access
- 6. Using OpenStack Object Storage
- 7. Administering OpenStack Object Storage
- 8. Cinder – OpenStack Block Storage
- 9. More OpenStack
- Introduction
- Using cloud-init to run post-installation commands
- Using cloud-config to run the post-installation configuration
- Installing OpenStack Telemetry
- Using OpenStack Telemetry to interrogate usage statistics
- Installing Neutron LBaaS
- Using Neutron LBaaS
- Configuring Neutron FWaaS
- Using Neutron FWaaS
- Installing the Heat OpenStack Orchestration service
- Using Heat to spin up instances
- 10. Using the OpenStack Dashboard
- Introduction
- Installing OpenStack Dashboard
- Using OpenStack Dashboard for key management
- Using OpenStack Dashboard to manage Neutron networks
- Using OpenStack Dashboard for security group management
- Using OpenStack Dashboard to launch instances
- Using OpenStack Dashboard to terminate instances
- Using OpenStack Dashboard to connect to instances using a VNC
- Using OpenStack Dashboard to add new tenants – projects
- Using OpenStack Dashboard for user management
- Using OpenStack Dashboard with LBaaS
- Using OpenStack Dashboard with OpenStack Orchestration
- 11. Production OpenStack
- Introduction
- Installing the MariaDB Galera cluster
- Configuring HA Proxy for the MariaDB Galera cluster
- Configuring HA Proxy for high availability
- Installing and configuring Pacemaker with Corosync
- Configuring OpenStack services with Pacemaker and Corosync
- Bonding network interfaces for redundancy
- Automating OpenStack installations using Ansible – host configuration
- Automating OpenStack installations using Ansible – Playbook configuration
- Automating OpenStack installations using Ansible – running Playbooks
- 1. Keystone – OpenStack Identity Service
- 3. Module 3
- 1. The Troubleshooting Toolkit
- 2. Troubleshooting OpenStack Identity
- 3. Troubleshooting the OpenStack Image Service
- 4. Troubleshooting OpenStack Networking
- 5. Troubleshooting OpenStack Compute
- 6. Troubleshooting OpenStack Block Storage
- 7. Troubleshooting OpenStack Object Storage
- 8. Troubleshooting the OpenStack the Orchestration Service
- 9. Troubleshooting the OpenStack Telemetry Service
- 10. OpenStack Performance, Availability, and Reliability
- A. Bibliography
- Index
Setting up Secure Sockets Layer (SSL) access provides secure access between the client and our OpenStack Object Storage environment in exactly the same way SSL provides secure access to any other web service. To do this, we configure our proxy server with SSL certificates.
Ensure that you are logged in to the swift-proxy node and have the packages installed and configured for running Swift. If you created this node with vagrant, you can execute the following command:
vagrant ssh swift-proxy
Configuration of OpenStack Object Storage to secure communication between the client and the proxy server is done as follows:
- In order to provide SSL access to our proxy server, we first create the certificates:
cd /etc/swift sudo openssl req -new -x509 -nodes -out cert.crt -keyout cert.key
- We need to answer the following questions that the certificate process asks us:
- Once created, we configure our proxy server to use the certificate and key by editing the
/etc/swift/proxy-server.conffile, as shown here:bind_port = 443 cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key
- With this in place, we can restart the proxy server using the
swift-initcommand to pick up the change:sudo swift-init proxy-server restart - We now need to update our Keystone endpoint to reflect this change. We do this by first removing the current entry, and then adding the endpoint with the change of details. First, source your environment variables so that you have admin privileges, or set the following:
export ENDPOINT=192.168.100.200 export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=https://${ENDPOINT}:35357/v2.0 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem - List the endpoints to verify the entry to remove by issuing the following command:
keystone endpoint-listThis will bring back output such as the following. The Swift endpoint has been highlighted and output truncated to fit the page.
- To remove the Swift endpoint, execute the following command:
keystone endpoint-delete bd46a06576a3489ba9f9a8a7eaa2b2bd - We then add in the correct endpoint with the new values:
PUBLIC_URL="https://192.168.100.209:443/v1/AUTH_$(tenant_id)s" ADMIN_URL="https://172.16.0.209:443/v1" INTERNAL_URL=="https://172.16.0.209:443/v1/AUTH_$(tenant_id)s" keystone endpoint-create --region RegionOne --service_id $SWIFT_SERVICE_ID --publicurl $PUBLIC_URL --adminurl $ADMIN_URL --internalurl $INTERNAL_URL
Configuring OpenStack Object Storage to use SSL involves configuring the proxy server to use SSL. We first configure a self-signed certificate using the openssl command, which asks for various fields to be filled in. An important field is the Common Name field. Put in the Fully Qualified Domain Name (FQDN) hostname or IP address that you would use to connect to the Swift server.
Once that has been done, we specify the port that we want our proxy server to listen on. As we are configuring an SSL HTTPS connection, we will use the standard TCP port 443 that HTTPS defaults to. We also specify the certificate and key that we created in the first step so that when a request is made, this information is presented to the end user to allow secure data transfer. With this in place, we restart our proxy server to listen on port 443.
Finally, we modify the entry in Keystone to reflect this change. To do this, we identify the endpoint ID of the Swift service by first list the endpoints. After this, we delete this endpoint with the keystone endpoint-delete $ENDPOINT_ID command and add in the correct ones, we ensure that we specify https and port 443.
With this in place, we can carry on using Swift as usual and the end user won't need to modify anything to take advantage of this change.
-
No Comment