Openstack Keystone currently operates on-line validation for Tokens. Once a token is issued out, each of the systems presented with the token has to check the validity of the token with the Keystone server. This makes Keystone the highest traffic service in an Openstack deployment. Using Cryptographic Message Syntax (CMS) we can generated a token that can be verified using public key cryptography instead of making a network call. Here’s a proof-of-concept example using the command line tools.
Imagine a locked room with a big window. If I am the only person with a key to room, and I tape a poster up inside the window, everyone can read it, and everyone can state with a pretty high degree of certainty that I was the person that I put up the poster. This is analogy to how you can use PKI to sign a document.
Once server side certificates have been set up, setting up client side certificates requires some additional configuration, especially if you want to use them as the source of identity in your applications.
At least, it is on Fedora 16
sudo yum install mod_nss
/etc/httpd/alias/ is populated already with ca and server cert self signed
/etc/httpd/conf.d/nss.conf already exists
change 8443 to 443 in two places
--- /etc/httpd/conf.d/nss.conf.orig 2012-03-29 12:59:06.319470425 -0400 +++ /etc/httpd/conf.d/nss.conf 2012-03-29 12:19:38.862721465 -0400 @@ -17,7 +17,7 @@ # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" # -Listen 8443 +Listen 443 ## ## SSL Global Context @@ -81,7 +81,7 @@ ## SSL Virtual Host Context ## -
+ # General setup for the virtual host #DocumentRoot "/etc/httpd/htdocs"
Make sure your firewall is open on the HTTPS port. Add the following line in /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
before the statement
-A INPUT -j REJECT --reject-with icmp-host-prohibited
and restart the services
sudo systemctl restart iptables.service sudo systemctl restart httpd.service
The documentation provides a lot more detail. Almost all of these steps are performed by the RPM install on F16 and later.
The Dogtag team is pleased to announce the availability of an Alpha Release of the Dogtag 10.0 code.
(Reposted from the pki-users mailing list)
A recent discussion on the Openstack mailing list brought to light the high load that the Keystone server has due to each server having to authenticate each and every request against Keystone.
Kerberos is a single sign on solution. AFAICT, it is the only one that solves the problem completely: You confirm that you are who you say you are, and the remote side confirms that it is who you think it is. It doesn’t work over he public internet only due to the fact that most corporate firewalls block the ports it needs. So we want to be able to do Kerberos, or its equivalent from the browser.
The Dogtag PKI project is a long lived project. It is a Java Web Server based application that predates many of the technologies that now are standards of Java Web development. One requirement that has changed over time is how to access the server remotely. Continue reading