Talk:Keystone in HTTPD on RHEL6

1. Disable the standalone keystone service. service openstack-keystone stop chkconfig openstack-keystone off

2. Install required base packages. yum install httpd mod_wsgi python-paste-deploy -y

- For SSL using mod_nss install the following package. yum install mod_nss -y

Note: The CA cert and the servers ssl cert will need to be installed into the /etc/httpd/alias database using certutil.

- If the system is already joined to an FreeIPA server the following can be used. kinit admin ipa service-add HTTP/`hostname --fqdn` rm -f /etc/httpd/alias/cert8.db /etc/httpd/alias/install.log /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db certutil -N -d /etc/httpd/alias chgrp apache /etc/httpd/alias/cert8.db /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db chmod g+r /etc/httpd/alias/cert8.db /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db  certutil -A -n "IPA CA" -d /etc/httpd/alias/ -i /etc/ipa/ca.crt -a -t CT,C,C ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/`hostname --fqdn` -N 'CN=`hostname --fqdn`,O=IPA.REALM.HERE'

- For SSL using mod_ssl install the following package. yum install mod_ssl -y

Note: The CA cert, the servers ssl cert and key will need to be saved to files readable by httpd.

- If the system is already joined to an FreeIPA server the following can be used. kinit admin ipa service-add HTTP/`hostname --fqdn` ipa-getcert request -r -f /etc/pki/tls/certs/`hostname -s`-http.crt -k /etc/pki/tls/private/`hostname -s`-http.key -N CN=`hostname --fqdn` -D `hostname` -U id-kp-serverAuth -K HTTP/`hostname --fqdn` chmod 644 /etc/pki/tls/certs/`hostname -s`-http.crt chmod 640 /etc/pki/tls/private/`hostname -s`-http.key chgrp apache /etc/pki/tls/certs/`hostname -s`-http.crt /etc/pki/tls/private/`hostname -s`-http.key

- Modify /etc/httpd/conf.d/ssl.conf to point to the newly created cert and key. SSLCertificateFile /etc/pki/tls/certs/ -http.crt SSLCertificateKeyFile /etc/pki/tls/private/ -http.key SSLCertificateChainFile /etc/ipa/ca.crt

3. Create the cgi-bin links to the keystone wsgi process. mkdir /var/www/cgi-bin/keystone ln /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/main ln /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/admin

4. Create a selinux module for the process. mkdir /root/keystonewsgi cd /root/keystonewsgi

cat << EOF > keystonewsgi.te  policy_module(keystonewsgi, 1.0.0) require { type httpd_t; type keystone_var_lib_t; } allow httpd_t keystone_var_lib_t:dir { search getattr }; allow httpd_t keystone_var_lib_t:file { read write getattr open setattr }; EOF

ln -s /usr/share/selinux/devel/Makefile. make semodule -i keystonewsgi.pp

5. Create the keystone httpd config cat << EOF > /etc/httpd/conf.d/wsgi-keystone.conf WSGIDaemonProcess keystone processes=5 threads=1 user=keystone WSGIProcessGroup keystone WSGIApplicationGroup %{GLOBAL} WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin EOF

- Require SSL with mod_nss cat << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf  NSSRequireSSL AuthType None  EOF

- Require SSL with mod_ssl cat << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf  SSLRequireSSL AuthType None  EOF

- Do not Require SSL cat << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf  AuthType None  EOF

6. Change the keystone config file to reflect this new port and endpoints. cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.backup openstack-config --set /etc/keystone/keystone.conf DEFAULT public_port 8443 openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_port 8443 openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint https://{FQDN}:%\(public_port\)s/keystone/main openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint https://{FQDN}:%\(admin_port\)s/keystone/admin

Note: this example is using mod_nss, use port 443 for mod_ssl, or port 80 with http://.

7. Start/restart the httpd service service httpd restart

8. Set the new endpoint in the sql database. In the following example the admin_token in /etc/keystone/keystone.conf is ADMIN use the specific token for the config.

- Find the id of the existing keystone service and endpoint. keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN service-get keystone|awk -F\| '$2~"id" {print $3}'

- Use the previous service id number to find the endpoint id. keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-list | awk -F\| "\$7~\"{SERVICE_ID}\" {print \$2}"

- Delete the old endpoint keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-delete {ENDPOINT_ID}

- Add a new endpoint using the new URL. keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-create --region RegionOne --service-id {SERVICE_ID} --publicurl https://{FQDN}:8443/keystone/main/v2.0 --adminurl https://{FQDN}:8443/keystone/admin/v2.0 --internalurl https://{FQDN}:8443/keystone/main/v2.0

Note: this example is using mod_nss, use port 443 for mod_ssl, or port 80 with http://.