Hi Kevin, It has been awhile, but here are some notes I took.
Regards, Mark Miller --------------------------------- Keystone Apache2 frontend Installation and Configuration Instructions below are based off of documentation/examples from URL https://keystone-voms.readthedocs.org/en/latest/requirements.html Install Apache2 WSGI with mod_ssl enabled. To do so, install the packages, and enable the relevant modules: sudo apt-get install apache2 libapache2-mod-wsgi sudo a2enmod ssl sudo ufw disable #Note: not sure if need to disable firewall Then configure your Apache server to use CA certificates. If you have some installed in the default location, enable the default-ssl site (a2ensite default-ssl) and modify its configuration file (normally in /etc/apache2/sites-enabled/default-ssl). If not, create configuration file "/etc/apache2/sites-enabled/keystone" for your keystone installation. Note: I created file "/etc/apache2/sites-enabled/keystone" shown below. Example: WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10 Listen 5000 <VirtualHost _default_:5000> LogLevel info ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/apache.cert SSLCertificateKeyFile /etc/ssl/private/apache.key SSLCACertificatePath /etc/ssl/certs SSLCARevocationPath /etc/ssl/certs SSLVerifyClient optional SSLVerifyDepth 10 SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLOptions +StdEnvVars +ExportCertData WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main WSGIProcessGroup keystone </VirtualHost> Listen 35357 <VirtualHost _default_:35357> LogLevel info ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/apache.cert SSLCertificateKeyFile /etc/ssl/private/apache.key SSLCACertificatePath /etc/ssl/certs SSLCARevocationPath /etc/ssl/certs SSLVerifyClient optional SSLVerifyDepth 10 SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLOptions +StdEnvVars +ExportCertData WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin WSGIProcessGroup keystone </VirtualHost> Note1: By changing settings in this file you can turn on and off the Apache2-SSL frontend to Keystone (variable SSL_Engine). Note2: The "[ssl]" section of file "keystone.conf" needs to match this file in that if SSL is turned on in one of them, then it needs to be turned on in the other. To run keystone as a WSGI app, copy file "keystone.py" to the correct location and create links to it. sudo mkdir -p /usr/lib/cgi-bin/keystone sudo cp /<path>/keystone-2013.2.b2/httpd/keystone.py /usr/lib/cgi-bin/keystone/keystone.py sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/main sudo ln /usr/lib/cgi-bin/keystone/keystone.py /usr/lib/cgi-bin/keystone/admin If the keystone service is running, shut it down. The Apache2 service will now start up as many instances of keystone as are specified on the first line of file "/etc/apache2/sites-enabled/keystone". sudo service keystone stop Adjust the "keystone.py" file to point to your keystone configuration file "if" it is not in the default location (i.e. "/etc/keystone/keystone.conf"). Note: I did not make any changes to file keystone.py. Add variable OPENSSL_ALLOW_PROXY_CERTS to your Apache2 environment file "/etc/apache2/ envvars" so that X.509 proxy certificates are accepted by OpenSSL. export OPENSSL_ALLOW_PROXY_CERTS=1 If you don't have server certificates for your Apache2 server, generate your own self-signed certificates following instructions from URL: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.cert When prompted, use the name of your server for the common name. Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Corvallis Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hewlett-Packard Organizational Unit Name (eg, section) []:CloudOS Common Name (e.g. server FQDN or YOUR name) []:havanatest Email Address []:mark.m.mil...@hp.com Add the server name to your "/etc/hosts" file. 127.0.1.1 havanatest Add the full IP address and server name to your REST client computer's "/etc/hosts" file. The name in the REST client URL must match the name of the server/common-name found in the certificate. 15.253.57.66 havanatest I ran into a problem with the Apache2 server startup because it was not able to reliably determine my test server's fully qualified domain name. Following instructions from the following URL allowed me to bypass this issue by adding the server name to file "/etc/apache2/httpd.conf". http://aslamnajeebdeen.com/blog/how-to-fix-apache-could-not-reliably-determine-the-servers-fully-qualified-domain-name-using-127011-for-servername-error-on-ubuntu Example: servername havanatest Finally, restart the Apache2 service and check to see that apache2 and keystone are running. sudo service apache2 restart ps -ef | grep apache2 root 4463 1 1 10:41 ? 00:00:00 /usr/sbin/apache2 -k start www-data 4464 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start www-data 4471 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start www-data 4472 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start root 4564 2483 0 10:41 pts/2 00:00:00 grep --color=auto apache2 ps -ef | grep keystone keystone 4468 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start keystone 4469 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start keystone 4470 4463 0 10:41 ? 00:00:00 /usr/sbin/apache2 -k start root 4566 2483 0 10:42 pts/2 00:00:00 grep --color=auto keystone With the above configuration and assuming that the Keystone host is "havanatest", the Keystone endpoint URLs will be as follow: * https:// havanatest:5000/v3 * https:// havanatest:35357/v3 > -----Original Message----- > From: Fox, Kevin M [mailto:kevin....@pnnl.gov] > Sent: Wednesday, October 09, 2013 4:59 PM > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] Keystone Apache2 Installation Question > > I've just started playing around with Keystone under Apache. I have > managed to get it embedded now and all services talking to it. > > Now, I'm trying to get it to do apache authentication. The documentation > states that it should honor REMOTE_USER if its present. > > The default wsgi-keystone.conf has this in it: > <Location "/keystone"> > NSSRequireSSL > Authtype none > </Location> > > Which Locations do you put Apache auth plugins on? Putting it on all of > /keystone seems wrong. I tried putting it only on <Location > "/keystone/main/v2.0/tokens"> and that didn't work either... > > Looking at the token api, it doesn't look like it does basic auth at all, > expecting > the username/password to be passed through a json document? So perhaps > what I am trying to do will never work? Do I have to set some flag to get > python-keystoneclient/Dashboard to pass the username/password as > basicauth instead of in a json form? > > Thanks, > Kevin > > > > ________________________________________ > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > [mark.m.mil...@hp.com] > Sent: Monday, August 12, 2013 4:17 PM > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] Keystone Apache2 Installation Question > > Progress: Got Keystone working under Apache2 with HTTP based on the > following 2 URLs . HTTPS is the next. > > https://keystone-voms.readthedocs.org/en/latest/requirements.html > https://www.digitalocean.com/community/articles/how-to-create-a-ssl- > certificate-on-apache-for-ubuntu-12-04 > > Mark > > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > Sent: Monday, August 12, 2013 3:10 PM > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] Keystone Apache2 Installation Question > > Looks like I may be ahead of the game. It doesn't look like this blueprint has > been started yet. Am I correct? > > https://blueprints.launchpad.net/devstack/+spec/devstack-setup-apache- > keystone > > A very valuable feature of Keystone is to configure it to leverage apache as > its front end. As a means of demonstrating how this works, and to facilitate > automated testing of this configuration in the future, support to devstack > will > be added to enable it to optionally install and configure keystone using > apache as it front end. The design approach used will be that described in the > keystone docs: > https://github.com/openstack/keystone/blob/master/doc/source/apache- > httpd.rst > Thanks, > > Mark > > > > From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) > Sent: Monday, August 12, 2013 1:45 PM > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] Keystone Apache2 Installation Question > > The commands/libraries do not exist for Ubuntu, Keystone no longer starts > up, directories between the sets of documents do not match, ... > > From: Dolph Mathews [mailto:dolph.math...@gmail.com] > Sent: Monday, August 12, 2013 1:41 PM > To: OpenStack Development Mailing List > Subject: Re: [openstack-dev] Keystone Apache2 Installation Question > > What problem(s) are you running into when following the above > documentation / examples? > > On Mon, Aug 12, 2013 at 3:32 PM, Miller, Mark M (EB SW Cloud - R&D - > Corvallis) <mark.m.mil...@hp.com<mailto:mark.m.mil...@hp.com>> wrote: > Hello, > > I am looking for documentation on how to install/configure Apache2 as the > Keystone front end for "Ubuntu 12.04". I have found various documentation > snippets for a variety of applications and operating systems, but nothing for > Ubuntu. Any pointers would greatly be appreciated. I have been trying to > piece the installation/configuration from the following URLs but have yet to > be successful. > > http://docs.openstack.org/developer/keystone/apache- > httpd.html#keystone-configuration > https://keystone-voms.readthedocs.org/en/latest/requirements.html > https://github.com/enovance/keystone-wsgi- > apache/blob/master/provision.sh > http://adam.younglogic.com/2012/04/keystone-httpd/ > > Regards, > > Mark > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org<mailto:OpenStack- > d...@lists.openstack.org> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > -- > > -Dolph > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
