gustavo panizzo <gfa> wrote:
On 05/07/2014 04:25 PM, Remo Mattei wrote:
Hello guys,
I wonder if anyone has any suggestions on changing from http to https
interprocess communication like nova to keystone etc.. not for the DASHBOARD.
create a CA for the certs, import the public key of the CA on all the
boxes. it will save you headaches. don't use selfsigned certs
i've used EasyRSA to create the CA and it's certificates
re create the endpoints using ssl, some downtime will be needed during
reconfiguration
the CN on the cert must match the hostname in the endpoints
python ssl performance is not great, if you have high traffic you will
need something external (apache, bigip, nginx?) to terminate ssl traffic
stud seems to be widely used as well.
You'll need to change a slew of configuration files as well to point to
the new endpoint.
In the conf file for most services you'll need something like:
[keystone_authtoken]
...
cafile = /path/to/cacert.pem
auth_protocol = https
auth_port = 35357
auth_host = fqdn.example.com
Some also have an authuri.
auth_uri = https://fqdn.example.com:5000/v2.0
rob
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
