openstack
/
keystone
Code Issues Proposed changes
keystone/doc/source/apache-httpd.rst

3.5 KiB
Raw Blame History

Running Keystone in HTTPD

SSL

To run Keystone in HTTPD, first enable SSL support. This is optional, but highly recommended.

Install mod_nss according to your distribution, then apply the following patch and restart HTTPD:

--- /etc/httpd/conf.d/nss.conf.orig 2012-03-29 12:59:06.319470425 -0400
+++ /etc/httpd/conf.d/nss.conf  2012-03-29 12:19:38.862721465 -0400
@@ -17,7 +17,7 @@
 # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
 #       Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
 #
-Listen 8443
+Listen 443

 ##
 ##  SSL Global Context
@@ -81,7 +81,7 @@
 ## SSL Virtual Host Context
 ##

-<virtualhost _default_:8443="">
+<virtualhost _default_:443="">

 #   General setup for the virtual host
 #DocumentRoot "/etc/httpd/htdocs"
</virtualhost></virtualhost>

Firewall

Add the following rule to IPTables in order to ensure the SSL traffic can pass your firewall:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

it goes right before:

-A INPUT -j REJECT --reject-with icmp-host-prohibited

Files

Copy the file httpd/wsgi-keystone.conf to the appropriate location for your apache server, most likely:

/etc/httpd/conf.d/wsgi-keystone.conf

Create the directory /var/www/cgi-bin/keystone/. You can either hardlink or softlink the files main and admin to the file keystone.py in this directory. For a distribution appropriate place, it should probably be copied to:

/usr/share/openstack/keystone/httpd/keystone.py

Keystone's primary configuration file (etc/keystone.conf) and the PasteDeploy configuration file (etc/keystone-paste.ini) must be readable to HTTPD in one of the default locations described in configuration.

SELinux

If you are running with SELinux enabled (and you should be) make sure that the file has the appropriate SELinux context to access the linked file. If you have the file in /var/www/cgi-bin, you can do this by running:

sudo restorecon /var/www/cgi-bin

Putting it somewhere else requires you set up your SELinux policy accordingly.

Keystone Configuration

Make sure you use either the SQL or the memcached driver for tokens, otherwise the tokens will not be shared between the processes of the Apache HTTPD server.

For SQL, in /etc/keystone/keystone.conf make sure you have set:

[token]
driver = keystone.token.backends.sql.Token

For memcache, in /etc/keystone/keystone.conf make sure you have set:

[token]
driver = keystone.token.backends.memcache.Token

In both cases, all servers that are storing tokens need a shared backend. This means either that both point to the same database server, or both point to a common memcached instance.