Jump to: navigation, search

Talk:Keystone in HTTPD on RHEL6

Revision as of 21:37, 6 January 2014 by Jeremy Agee (talk | contribs) (Jeremy Agee moved page Talk:Documentation to Talk:Keystone in HTTPD on RHEL6: rename)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

1. Disable the standalone keystone service.

 service openstack-keystone stop
 chkconfig openstack-keystone off

2. Install required base packages.

 yum install httpd mod_wsgi python-paste-deploy -y

- For SSL using mod_nss install the following package.

 yum install mod_nss -y

Note: The CA cert and the servers ssl cert will need to be installed into the /etc/httpd/alias database using certutil.

- If the system is already joined to an FreeIPA server the following can be used.

 kinit admin
 ipa service-add HTTP/`hostname --fqdn`
 rm -f /etc/httpd/alias/cert8.db /etc/httpd/alias/install.log /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db
 certutil -N -d /etc/httpd/alias
 chgrp apache /etc/httpd/alias/cert8.db /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db
 chmod g+r /etc/httpd/alias/cert8.db /etc/httpd/alias/key3.db /etc/httpd/alias/secmod.db
 certutil -A -n "IPA CA" -d /etc/httpd/alias/ -i /etc/ipa/ca.crt -a -t CT,C,C
 ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/`hostname --fqdn` -N 'CN=`hostname --fqdn`,O=IPA.REALM.HERE'

- For SSL using mod_ssl install the following package.

 yum install mod_ssl -y

Note: The CA cert, the servers ssl cert and key will need to be saved to files readable by httpd.

- If the system is already joined to an FreeIPA server the following can be used.

 kinit admin
 ipa service-add HTTP/`hostname --fqdn`
 ipa-getcert request -r -f /etc/pki/tls/certs/`hostname -s`-http.crt -k /etc/pki/tls/private/`hostname -s`-http.key -N CN=`hostname --fqdn` -D `hostname` -U id-kp-serverAuth -K HTTP/`hostname --fqdn`
 chmod 644 /etc/pki/tls/certs/`hostname -s`-http.crt
 chmod 640 /etc/pki/tls/private/`hostname -s`-http.key
 chgrp apache /etc/pki/tls/certs/`hostname -s`-http.crt /etc/pki/tls/private/`hostname -s`-http.key

- Modify /etc/httpd/conf.d/ssl.conf to point to the newly created cert and key.

 SSLCertificateFile /etc/pki/tls/certs/<hostname>-http.crt
 SSLCertificateKeyFile /etc/pki/tls/private/<hostname>-http.key
 SSLCertificateChainFile /etc/ipa/ca.crt

3. Create the cgi-bin links to the keystone wsgi process.

 mkdir /var/www/cgi-bin/keystone
 ln /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/main
 ln /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/admin

4. Create a selinux module for the process.

 mkdir /root/keystonewsgi
 cd /root/keystonewsgi
 cat  << EOF > keystonewsgi.te
 policy_module(keystonewsgi, 1.0.0)
 require {
   type httpd_t;
   type keystone_var_lib_t;
 }
 allow httpd_t keystone_var_lib_t:dir { search getattr };
 allow httpd_t keystone_var_lib_t:file { read write getattr open setattr };
 EOF
 ln -s /usr/share/selinux/devel/Makefile .
 make
 semodule -i keystonewsgi.pp

5. Create the keystone httpd config

 cat  << EOF > /etc/httpd/conf.d/wsgi-keystone.conf
 WSGIDaemonProcess keystone processes=5 threads=1 user=keystone
 WSGIProcessGroup keystone
 WSGIApplicationGroup %{GLOBAL}
 WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
 WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
 EOF

- Require SSL with mod_nss

 cat  << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf
 <Location "/keystone">
   NSSRequireSSL
   AuthType None
 </Location>
 EOF

- Require SSL with mod_ssl

 cat  << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf
 <Location "/keystone">
   SSLRequireSSL
   AuthType None
 </Location>
 EOF

- Do not Require SSL

 cat  << EOF >> /etc/httpd/conf.d/wsgi-keystone.conf
 <Location "/keystone">
   AuthType None
 </Location>
 EOF

6. Change the keystone config file to reflect this new port and endpoints.

 cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.backup
 openstack-config --set /etc/keystone/keystone.conf DEFAULT public_port 8443
 openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_port 8443
 openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint https://{FQDN}:%\(public_port\)s/keystone/main
 openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint https://{FQDN}:%\(admin_port\)s/keystone/admin

Note: this example is using mod_nss, use port 443 for mod_ssl, or port 80 with http://.

7. Start/restart the httpd service

 service httpd restart

8. Set the new endpoint in the sql database. In the following example the admin_token in /etc/keystone/keystone.conf is ADMIN use the specific token for the config.

- Find the id of the existing keystone service and endpoint.

 keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN service-get keystone|awk -F\| '$2~"id" {print $3}'

- Use the previous service id number to find the endpoint id.

 keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-list | awk -F\| "\$7~\"{SERVICE_ID}\" {print \$2}"

- Delete the old endpoint

 keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-delete {ENDPOINT_ID}

- Add a new endpoint using the new URL.

 keystone --insecure --os-endpoint https://{FQDN}:8443/keystone/admin/v2.0 --os-token ADMIN endpoint-create --region RegionOne --service-id {SERVICE_ID} --publicurl https://{FQDN}:8443/keystone/main/v2.0 --adminurl https://{FQDN}:8443/keystone/admin/v2.0 --internalurl https://{FQDN}:8443/keystone/main/v2.0

Note: this example is using mod_nss, use port 443 for mod_ssl, or port 80 with http://.