Once server side certificates have been set up, setting up client side certificates requires some additional configuration, especially if you want to use them as the source of identity in your applications.
Client Certificates with mod_nss
1
Monthly Archives: March 2012
Setting up SSL with NSS is easier than you think
At least, it is on Fedora 16
sudo yum install mod_nss
/etc/httpd/alias/ is populated already with ca and server cert self signed
/etc/httpd/conf.d/nss.conf already exists
change 8443 to 443 in two places
--- /etc/httpd/conf.d/nss.conf.orig 2012-03-29 12:59:06.319470425 -0400 +++ /etc/httpd/conf.d/nss.conf 2012-03-29 12:19:38.862721465 -0400 @@ -17,7 +17,7 @@ # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" # -Listen 8443 +Listen 443 ## ## SSL Global Context @@ -81,7 +81,7 @@ ## SSL Virtual Host Context ## -+ # General setup for the virtual host #DocumentRoot "/etc/httpd/htdocs"
Make sure your firewall is open on the HTTPS port. Add the following line in /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
before the statement
-A INPUT -j REJECT --reject-with icmp-host-prohibited
and restart the services
sudo systemctl restart iptables.service sudo systemctl restart httpd.service
The documentation provides a lot more detail. Almost all of these steps are performed by the RPM install on F16 and later.
Shared Nothing Diskless Boot
It is possible to run a computer with no persistent storage for its root file system other than a single image downloaded an held in RAM. The computer does not needs a local disk. The computer also does not need a SAN or NAS device for the Root File system.
There are numerous uses for this style of booting. A short list:
- Debugging the installation processes of software packages
- Running computationally intensive tasks on a large array of nodes
- Inventorying the hardware on new servers
- Deploying a light management framework for virtualization hypervisors
Fedora 16 Devstack
Devstack is a developer tool for dealing with the wide array of projects that make up openstack. The original devstack is Ubuntu specific. Russell B has been working on getting Fedora its own Devstack. Today, I’m a test subject.
Announcing Dogtag 10.0.0 (Alpha)
The Dogtag team is pleased to announce the availability of an Alpha Release of the Dogtag 10.0 code.
(Reposted from the pki-users mailing list)
HATEOAS Openstack Keystone
Of all the principals of REST, perhaps the most overlooked it Hypermedia as the Engine of Application State, or HATEOAS. This term tries to encapsulate several concepts together, but the primary is the principal of discoverability.
All future actions the client may take are discovered within resource representations returned from the server.
What does this mean for Keystone?
Dependency Injection in Python
Object oriented design principals are not language specific. While there is variation from language to language on details of implementations, and some techniques are not appropariate to all languages, for the most part, good design is good design.
Continue reading
F17 Openstack Test Day on Thursday.
If you want Openstack support for Fedora or RHEL, this day is for you! Once we get the F17 code stable, we will use that as the code base for EPEL, so lend a hand.
https://fedoraproject.org/wiki/Test_Day:2012-03-08_OpenStack_Test_Day
I’ll be lurking around to help out with Keystone questions, but at the same time I’ll also be involved with a local installfest so I expect to be logged in to IRC, but also very much walking around and answering questions….as well as running through test cases myself.
So join us:
IRC #fedora-test-day on Freenode
WebIRC: http://webchat.freenode.net/?channels=fedora-test-day
Booting a LiveCD as a Virtual Machine
As a Fedora Community Member, I always feel guilty if I postpone trying out a testing release of Fedora. Since I have a limited amount of hardware, I can’t just install on a physical machine. Turns out that testing on a virtual machine is about as easy as it can be.
PKI for Keystone
A recent discussion on the Openstack mailing list brought to light the high load that the Keystone server has due to each server having to authenticate each and every request against Keystone.