summaryrefslogtreecommitdiffstats
path: root/doc/source/configuration.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/source/configuration.rst')
-rw-r--r--doc/source/configuration.rst53
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 9095b7c0..f6fb0239 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -60,6 +60,7 @@ values are organized into the following sections:
* ``[catalog]`` - service catalog driver configuration
* ``[token]`` - token driver configuration
* ``[policy]`` - policy system driver configuration for RBAC
+* ``[ssl]`` - SSL configuration
The Keystone configuration file is expected to be named ``keystone.conf``.
When starting keystone, you can specify a different configuration file to
@@ -149,6 +150,58 @@ choosing the output levels and formats.
.. _Paste: http://pythonpaste.org/
.. _`python logging module`: http://docs.python.org/library/logging.html
+SSL
+---
+
+Keystone may be configured to support 2-way SSL out-of-the-box. The x509
+certificates used by Keystone must be obtained externally and configured for use
+with Keystone as described in this section. However, a set of sample certficates
+is provided in the examples/ssl directory with the Keystone distribution for testing.
+Here is the description of each of them and their purpose:
+
+Types of certificates
+^^^^^^^^^^^^^^^^^^^^^
+
+ca.pem
+ Certificate Authority chain to validate against.
+
+keystone.pem
+ Public certificate for Keystone server.
+
+middleware.pem
+ Public and private certificate for Keystone middleware/client.
+
+cakey.pem
+ Private key for the CA.
+
+keystonekey.pem
+ Private key for the Keystone server.
+
+Note that you may choose whatever names you want for these certificates, or combine
+the public/private keys in the same file if you wish. These certificates are just
+provided as an example.
+
+Configuration
+^^^^^^^^^^^^^
+
+To enable SSL with client authentication, modify the etc/keystone.conf file accordingly
+under the [ssl] section. SSL configuration example using the included sample
+certificates::
+
+ [ssl]
+ enable = True
+ certfile = <path to keystone.pem>
+ keyfile = <path to keystonekey.pem>
+ ca_certs = <path to ca.pem>
+ cert_required = True
+
+* ``enable``: True enables SSL. Defaults to False.
+* ``certfile``: Path to Keystone public certificate file.
+* ``keyfile``: Path to Keystone private certificate file. If the private key is included in the certfile, the keyfile maybe omitted.
+* ``ca_certs``: Path to CA trust chain.
+* ``cert_required``: Requires client certificate. Defaults to False.
+
+
Sample Configuration Files
--------------------------
generated by cgit (git 2.34.1) at 2024-06-04 18:23:26 +0000