You can configure the Identity service to support two-way SSL.
You must obtain the x509 certificates externally and configure them.
The Identity service provides a set of sample certificates in the examples/pki/certs and examples/pki/private directories:
Note
You can choose names for these certificates. You can also combine public/private keys in the same file, if you wish. These certificates are provided as an example.
When running keystone-all, the server can be configured to enable SSL with client authentication using the following instructions. Modify the [eventlet_server_ssl] section in the /etc/keystone.conf file. The following SSL configuration example uses the included sample certificates:
1 2 3 4 5 6 | [eventlet_server_ssl]
enable = True
certfile = <path to keystone.pem>
keyfile = <path to keystonekey.pem>
ca_certs = <path to ca.pem>
cert_required = True
|
Options
True enables SSL. Default is False.
Path to the Identity service public certificate file.
Path to the Identity service private certificate file. If you include the private key in the certfile, you can omit the keyfile.
Path to the CA trust chain.
Requires client certificate. Default is False.
When running the Identity service as a WSGI service in a web server such as Apache httpd, this configuration is done in the web server instead. In this case the options in the [eventlet_server_ssl] section are ignored.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/legalcode.