commit 18d4778cf7bffa60eb2e996a13c129c64f83575f
author Rob Crittenden <rcritten@redhat.com> Wed Mar 19 17:47:42 2014 -0400
committer Rob Crittenden <rcritten@redhat.com> Wed Sep 24 18:36:37 2014 -0400
tree d6d934b05026d32d6942b34a5e3a359202b3996c
parent d60c10d6dbe44445aaab9e3fcc0127e39e989f40

Configure endpoints to use SSL natively or via proxy

Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.

To enable SSL via proxy, in local.conf add

ENABLED_SERVICES+=,tls-proxy

This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.

To enable SSL natively, in local.conf add:

USE_SSL=True

Native SSL by default will also use the devstack-generate root and
subordinate CA.

You can override this on a per-service basis by setting

<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca

You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.

Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226

files/apache-keystone.template

diff --git a/files/apache-keystone.template b/files/apache-keystone.template
index 0a286b9..88492d3 100644
--- a/files/apache-keystone.template
+++ b/files/apache-keystone.template
@@ -11,6 +11,9 @@
     </IfVersion>
     ErrorLog /var/log/%APACHE_NAME%/keystone.log
     CustomLog /var/log/%APACHE_NAME%/keystone_access.log combined
+    %SSLENGINE%
+    %SSLCERTFILE%
+    %SSLKEYFILE%
 </VirtualHost>
 
 <VirtualHost *:%ADMINPORT%>
@@ -23,6 +26,9 @@
     </IfVersion>
     ErrorLog /var/log/%APACHE_NAME%/keystone.log
     CustomLog /var/log/%APACHE_NAME%/keystone_access.log combined
+    %SSLENGINE%
+    %SSLCERTFILE%
+    %SSLKEYFILE%
 </VirtualHost>
 
 # Workaround for missing path on RHEL6, see