Testing PKI Tokens in pre-release Folsom

There have been a few questions regarding PKI tokens and their testing in the Openstack code base. Here are the steps:


The Revocation code made the cut to Folsom 3, but the fix to make the request for the revocation list as admin did not. If the PKI token test fails with 401s it is probably due to the request for the revocation list being denied by Keystone. This is a known issue, and disregard the failure for now, as the fix is committed upstream, but not in the Fedora RPMS yet.  Thus, your best bet to test is still devstack.

Enabling PKI

To check that is has been merged, look in the Keystone config file under the section

you should see a commented out value:

#token_format = PKI

To activate the PKI tokens, uncomment this value and restart Keystone.

As an aside,  if you with to disable PKI tokens,  change the value to

token_format = UUID

Confirming PKI

When you run keystone token-get, the tokens should now be several lines long.

By default, the services like glance, nova, and the like store their cached version of certificates etc in ~/keystone-signing/. I tend to test against glance so after running

glance image-list

you will see:

$ ls ~/keystone-signing/
cacert.pem revoked.pem signing_cert.pem

To modify the place that these files get saved, to put them in the more correct location of /var/cache, create a directory /var/cache/$USER where $USER is glance, etc. Modify the config file for the appropriate service to set:

signing_dir = /var/cache/glance

This should also test Alan Pevec’s change that configuration should be read from the paste-config file of the application, as opposed to Keystone’s config file.


1 thought on “Testing PKI Tokens in pre-release Folsom

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.