Generating and configuring tokens PKIs
Keystone uses cryptographically signed tokens with a private key and are matched against x509 certificate with public key. Chatper 5, Glance Image Service discusses advanced configurations. In this recipe, we will use keystone-manage pki_setup
command to generate PKI key pairs and configure Keystone to use it.
How to do it…
Proceed with the following steps:
Generate PKI keys using the
keystone-manage pki_setup
command:[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
Note
In
keystone-manage pki_setup
, we use Keystone Linux user and group accounts, which were created whenopenstack-keystone
packaged was installed.Change the ownership of the generated PKI files:
[root@controller ~]# chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/
Configure Keystone service to use the generated PKI files:
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing token_format PKI [root...