You can configure the Identity service to support two-way SSL.
You must obtain the x509 certificates externally and configure them.
The Identity service provides a set of sample certificates in the examples/pki/certs and examples/pki/private directories:
Note
You can choose names for these certificates. You can also combine public/private keys in the same file, if you wish. These certificates are provided as an example.
When running keystone-all, the server can be configured to enable SSL with client authentication using the following instructions. Modify the [eventlet_server_ssl] section in the /etc/keystone/keystone.conf file. The following SSL configuration example uses the included sample certificates:
[eventlet_server_ssl]
enable = True
certfile = <path to keystone.pem>
keyfile = <path to keystonekey.pem>
ca_certs = <path to ca.pem>
cert_required = True
Options
When running the Identity service as a WSGI service in a web server such as Apache httpd, this configuration is done in the web server instead. In this case the options in the [eventlet_server_ssl] section are ignored.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.