Talk:Keystone in HTTPD on RHEL6
1. Disable the standalone keystone service.
service openstack-keystone stop chkconfig openstack-keystone off
2. Install required base packages.
yum install httpd mod_wsgi python-paste-deploy -y
- For SSL using mod_nss install the following package.
yum install mod_nss -y
Note: The CA cert and the servers ssl cert will need to be installed into the /etc/httpd/alias database using certutil.
- If the system is already joined to an FreeIPA server the following can be used.
kinit admin ipa service-add HTTP/`hostname --fqdn` rm -f /etc/httpd/alias/cert8.db /etc/httpd/alias/install.log /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db certutil -N -d /etc/httpd/alias chgrp apache /etc/httpd/alias/cert8.db /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db chmod g+r /etc/httpd/alias/cert8.db /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db certutil -A -n "IPA CA" -d /etc/httpd/alias/ -i /etc/ipa/ca.crt -a -t CT,C,C ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/`hostname --fqdn` -N 'CN=`hostname --fqdn`,O=IPA.REALM.HERE'
- For SSL using mod_ssl install the following package.
yum install mod_ssl -y
Note: The CA cert, the servers ssl cert and key will need to be saved to files readable by httpd.
- If the system is already joined to an FreeIPA server the following can be used.
kinit admin ipa service-add HTTP/`hostname --fqdn` ipa-getcert request -r -f /etc/pki/tls/certs/`hostname -s`-http.crt -k /etc/pki/tls/private/`hostname -s`-http.key -N CN=`hostname --fqdn` -D `hostname` -U id-kp-serverAuth -K HTTP/`hostname --fqdn` chmod 644 /etc/pki/tls/certs/`hostname -s`-http.crt chmod 640 /etc/pki/tls/private/`hostname -s`-http.key chgrp apache /etc/pki/tls/certs/`hostname -s`-http.crt /etc/pki/tls/private/`hostname -s`-http.key
- Modify /etc/httpd/conf.d/ssl.conf to point to the newly created cert and key.
SSLCertificateFile /etc/pki/tls/certs/<hostname>-http.crt SSLCertificateKeyFile /etc/pki/tls/private/<hostname>-http.key SSLCertificateChainFile /etc/ipa/ca.crt
3. Create the cgi-bin links to the keystone wsgi process.
mkdir /var/www/cgi-bin/keystone ln /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/main ln /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/admin
4. Create a selinux module for the process.
mkdir /root/keystonewsgi cd /root/keystonewsgi
cat << EOF > keystonewsgi.te policy_module(keystonewsgi, 1.0.0) require { type httpd_t; type keystone_var_lib_t; } allow httpd_t keystone_var_lib_t:dir { search getattr }; allow httpd_t keystone_var_lib_t:file { read write getattr open setattr }; EOF
ln -s /usr/share/selinux/devel/Makefile . make semodule -i keystonewsgi.pp
5. Create the keystone httpd config
cat << EOF > /etc/httpd/conf.d/wsgi-keystone.conf WSGIDaemonProcess keystone processes=5 threads=1 user=keystone WSGIProcessGroup keystone WSGIApplicationGroup %{GLOBAL} WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin EOF
- Require SSL with mod_nss
cat << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf <Location "/keystone"> NSSRequireSSL AuthType None </Location> EOF
- Require SSL with mod_ssl
cat << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf <Location "/keystone"> SSLRequireSSL AuthType None </Location> EOF
- Do not Require SSL
cat << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf <Location "/keystone"> AuthType None </Location> EOF
6. Change the keystone config file to reflect this new port and endpoints.
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.backup openstack-config --set /etc/keystone/keystone.conf DEFAULT public_port 8443 openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_port 8443 openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint https://{FQDN}:%\(public_port\)s/keystone/main openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint https://{FQDN}:%\(admin_port\)s/keystone/admin
Note: this example is using mod_nss, use port 443 for mod_ssl, or port 80 with http://.
7. Start/restart the httpd service
service httpd restart
8. Set the new endpoint in the sql database. In the following example the admin_token in /etc/keystone/keystone.conf is ADMIN use the specific token for the config.
- Find the id of the existing keystone service and endpoint.
keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN service-get keystone|awk -F\| '$2~"id" {print $3}'
- Use the previous service id number to find the endpoint id.
keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-list | awk -F\| "\$7~\"{SERVICE_ID}\" {print \$2}"
- Delete the old endpoint
keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-delete {ENDPOINT_ID}
- Add a new endpoint using the new URL.
keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-create --region RegionOne --service-id {SERVICE_ID} --publicurl https://{FQDN}:8443/keystone/main/v2.0 --adminurl https://{FQDN}:8443/keystone/admin/v2.0 --internalurl https://{FQDN}:8443/keystone/main/v2.0
Note: this example is using mod_nss, use port 443 for mod_ssl, or port 80 with http://.