CloudBerry Explorer with IBM Spectrum Scale

Steps to enable CloudBerry explorer to use Object Storage from IBM Spectrum Scale

Prerequisite:
IBM Spectrum Scale 4.2.2 with Object service enabled.
CloudBerry Explorer for Openstack Storage – Build-1.6.2.63

  1. Verify IBM Spectrum Scale Object storage is enabled by running following command[root@c1n3 ~]# mmces service list
    Enabled services: OBJ
    OBJ is running

    [root@c1n3 ~]# mmuserauth service list –data-access-method object
    OBJECT access configuration : LOCAL
    PARAMETERS               VALUES
    ————————————————-
    ENABLE_KS_SSL            false
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            none

  2. Configure the CloudBerry Explorer with IBM Spectrum Scale Object Storage12344
    56789
    10
  3. List/Create/Upload objects/Containers using Swift Client[root@c1n3 ~]# swift list
    myFirstContainerFromCloudBerry

    [root@c1n3 ~]# swift post containerFromWwiftClient

    [root@c1n3 ~]# swift list
    containerFromWwiftClient
    myFirstContainerFromCloudBerry

    [root@c1n3 ~]# swift upload myFirstContainerFromCloudBerry anaconda-ks.cfg
    anaconda-ks.cfg

  4.  View Object/Containers from CloudBerry Explorer
    1211

 

“These are my personal views and do not necessarily reflect that of my employer”

 

 

Decoding IBM Spectrum Scale Object Authentication configuration with Active Directory(AD)

            One can use Installer toolkit during deploy to configure Spectrum Scale object with Active Directory or use mmuserauth CLI to configure Spectrum Scale object with Active Directory after enabling Spectrum Scale object

In this blog entry I am making use of mmuserauth CLI to configure Spectrum Scale object with Active Directory

Example of mmuserauth CLI for configuring Spectrum Scale object with Active Directory.

mmuserauth service create

–data-access-method object
–type ad
–servers 10.0.0.27
–user-dn dc=sonas,dc=com
–base-dn dc=sonas,dc=com
–user-name administrator@sonas.com
–password Passw0rd
–ks-admin-user keystoneadminuser
–ks-swift-user swiftserviceuser
–ks-swift-pwd swiftPassw0rd
[–user-objectclass organizationalPerson]
[–user_name_attrib sAMAccountName]
[–user-id-attrib CN ]
Note : [option] denotes the optional parameter with default values

There are more option to this cli, Above listed are important.
Refer mmuserauth man page for details

Things to check before configuring the Spectrum Scale object with Active Directory

  1. Is Active Directory Server is correct, Reachable and Bind details are working ?
It simply means validating following parameter from mmuserauth example given at the start
–servers 10.0.0.27
–user-dn cn=users,dc=sonas,dc=com
–user-name administrator@sonas.com
–password Passw0rd
  Ldapsearch sample command to validate AD details 

/usr/bin/ldapsearch -x -H ldap://<–server> -b <–user-dn> -s sub -o nettimeout=10 -LLL -A -D < –username > -w <–password>

The command for my environment
/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd

Above command print all the user details on command line so you can use following to limit the details on screen

/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd dn

OR

/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd cn=administrator

Note : Provide Bind user ( ie –user-name ) in
DN format (example : CN=Administrator,CN=Users,DC=SONAS,DC=COM)
or
user logon name format (example : administrator@sonas.com)

If this step is successful then your Active Directory is correct, reachable and provided bind details are Valid.

  1. Is –ks-admin-user keystoneadminuser is present in Active Directory ?

Note : Keystoneadminuser should be present in Active Directory under provide –user-dn and It should have Valid Password

To validate –ks-admin-user following options need careful attention
[–user-objectclass organizationalPerson]
[–user_name_attrib sAMAccountName]
[–user-id-attrib CN ]

Ldapsearch sample command to validate the –ks-admin-user
/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd ‘(&(objectClass=organizationalPerson)(|(sAMAccountName=keystoneadminuser)(CN=keystoneadminuser)))’ -z1 dn

This command should return something like
dn: CN=keystoneadminuser,CN=Users,DC=SONAS,DC=COM

This steps confirm that you –ks-admin-user is good to go with.

Note : Use shortname for –ks-admin-user. Do not user DN or user logon name
For example I am using keystoneadminuser not the
CN=keystoneadminuser,CN=Users,DC=SONAS,DC=COM
or
keystoneadminuser@sonas.com

  1. is–ks-swift-user and –ks-swift-pwd is correct ?

Validating –ks-swift-user exist in Active Directory
–ks-swift-user swiftserviceuser
–ks-swift-pwd Passw0rd

Ldapsearch sample command to check if –ks-swift-user exist using admin credentials
/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D administrator@sonas.com -w Passw0rd ‘(&(objectClass=organizationalPerson)(|(sAMAccountName=swiftserviceuser)(CN=swiftserviceuser)))’ dn

This command will return something like dn: CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM use this DN to validate the provided –ks-swift-pwd

Ldapsearch sample command to check if –ks-swift-pwd exist is correct

/usr/bin/ldapsearch -x -H ldap://10.0.0.27 -b cn=users,dc=sonas,dc=com -s sub -o nettimeout=10 -LLL -A -D CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM -w swiftPassw0rd ‘(objectClass=*)’ -z1 dn

If this is successful then you are ready to configure Spectrum Scale with Active Directory

Note : Use shortname for –ks-swift-user. Do not user DN or user logon name
For example I am using swiftserviceuser not the
CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM or
swiftserviceuser@sonas.com

  1. Importance of –user-objectclass, –user-name-attrib and –user-id-attrib ?
All these are used as initial filter for Keystone users. Only user who has these attribute will be listed in Keystone users.
Default for Active Directory, You can change it as per your environment.
[–user-objectclass organizationalPerson]
[–user-name-attrib sAMAccountName]
[–user-id-attrib CN ]
Note : Choosing –user-id-attrib, It should be the attribute used in user DN. For example in all DN of users (CN=swiftserviceuser,CN=Users,DC=SONAS,DC=COM) in my environment it is CN. Hence I am using –user-id-attrib CN

“These are my personal views and do not necessarily reflect that of my employer”

Configuring IBM Spectrum Scale Object with SSL enabled External Keystone server

Prerequisite :  

  • IBM Spectrum Scale 4.2.1.x
  • SSL enabled Keystone server.
  • A swift user with valid password having ‘admin‘ role in ‘service‘ tenant of ‘default‘ domain in a external Keystone server

Endpoints on External Keystone server will look like

[root@externalKeystone ~]# openstack endpoint list
+———————————-+———–+————–+————–+———+———–+—————————————–+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+———————————-+———–+————–+————–+———+———–+—————————————–+
| 78cd570651f34b848890687c4f1578a9 | None | keystone | identity | True | public | https://cesip:5000/ |
| ff82aa833eec42b7a345a1c029b74959 | None | keystone | identity | True | internal | https://cesip:35357/ |
| 692c4bb6c4a14ece9f810ba4fc1944f1 | None | keystone | identity | True | admin | https://cesip:35357/ |
| 52b559474c03454eaef67af14a3c4afe | RegionOne | swift | object-store | True | public | http://c1ces:8080/v1/AUTH_%(tenant_id)s |
| ed14c1c50f3242a0aed61b9ccdfc8c4d | RegionOne | swift | object-store | True | internal | http://c1ces:8080/v1/AUTH_%(tenant_id)s |
| f26a242b71b34128abf87cbc1e8937aa | RegionOne | swift | object-store | True | admin | http://c1ces:8080 |
+———————————-+———–+————–+————–+———+———–+—————————————–+

 

On IBM Spectrum scale, Object will be already configured.
Remove the Current Object Authentication and Id-mapping using following command.

[root@c1n3 ~]# mmuserauth service remove –data-access-method object 
mmuserauth service remove: Command successfully completed

[root@c1n3 ~]# mmuserauth service remove –data-access-method object –idmapdelete
mmuserauth service remove: Command successfully completed

Copy CA-Certificates used on External Keystone server on Protocol node of IBM Spectrum Scale at following location.

[root@c1n3 ~]# ls /var/mmfs/tmp/ks_ext_cacert.pem
/var/mmfs/tmp/ks_ext_cacert.pem

Run mmuserauth command on protocol node where CA-Certificate is copied

[root@c1n3 ~]# mmuserauth service create –data-access-method object –type userdefined –ks-swift-user swift –ks-swift-pwd passw0rd –ks-ext-endpoint https://cesip:5000/v3 –enable-ks-ssl
mmcesobjcrbase: Validating execution environment.
mmcesobjcrbase: Validating Keystone environment.
mmcesobjcrbase: Configuration complete.
Object authentication configuration completed successfully.

Note : External keystone server must be reachable from protocol nodes using the hostname used for creating SSL Certificates for external Keystone. Hostname in Keystone Endpoints should also match the hostname used for creating SSL certificates

IBM Spectrum scale Object is successfully configured with SSL enabled external Keystone server.

~/openrc file on protocol node will be updated with details of External Keystone.

[root@c1n3 ~]# cat openrc
export OS_AUTH_URL=”https://cesip:5000/v3
export OS_CACERT=”/etc/swift/ks_ext_cacert.pem”
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME=”admin”
export OS_PASSWORD=””
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default

Update the ~/openrc with valid username and password from external Keystone server.

[root@c1n3 ~]# source ~/openrc

Verify IBM Spectrum Scale Object is working with external Keystone server.

[root@c1n3 ~]# swift stat
Account: AUTH_0557d5eb51294e48b1c5041c684b4f66
Containers: 0
Objects: 0
Bytes: 0
Content-Type: text/plain; charset=utf-8
Keep-Alive: timeout=5, max=100

“These are my personal views and do not necessarily reflect that of my employer”

 

IBM Spectrum Scale : Object Authentication

Every Object access request on IBM Spectrum Scale is authenticated before serving the data. IBM Spectrum Scale object store relies on keystone for validation of user before processing the request for object access. Keystone is the identity service used by various Openstack services for authentication. Basic Spectrum Scale Object access flow is depicted in following figure.

ObjectAccessFlow

Figure 1 : Basic Object access request flow

     IBM Spectrum Scale supports configuring Keystone with various different identity backends like Microsoft Active Directory, LDAP, Postgres. Identity backend is the source of username and password. Before sending request to Spectrum Scale object store, the user/client sends a request to Keystone for obtaining a Token required for accessing the object service. The request to Keystone contains the Username and Password. Keystone validates the username and password with the configured Identity backed. On successful validation of username and password keystone returns a token to the user/client which then further uses it for object (swift) request. The Token gets expire after the predefined time. The token expiration period is configurable. The specific Token can be revoked from Keystone by sending Token DELETE request. User request with revoked Token will be rejected by Spectrum Scale object store.

SpectumScaleObjectAuthentication

Figure 2 :  High level Object authentication configuration and Security aspects addressed by IBM Spectrum Scale

The above diagram depicts the various ways to configure the Object Authentication and the various security aspect involved.

Object Authentication can be configured with one of the following type:

  1. Local — User identities are stored locally in Postgres.
  2. AD – Keystone uses Microsoft Active Directory as Identity backend.
  3. LDAP – Keystone uses LDAP as Identity backend.
  4. Userdefined – Keystone will be hosted outside of Spectrum Scale and Configuration of identity server is left with User.

In first three types of object authentication configuration, Keystone will be running on all protocol nodes for High Availability.

  • The Keystone can be configured with https(ssl) for better security. The communication between object/keystone client and Keystone server will be over https(ssl) in this case.
  • IBM Spectrum Scale provide the option to configure the communication between Keystone server and Identity server(Active Directory and LDAP) over TLS.
  • For Advance user who want to make use of different features of keystone which are not provided by the keystone hosted on Spectrum Scale can configure the Spectrum Scale object with external keystone using type ‘userdefined’. The communication from swift to external keystone server can be over https(ssl)
  • When configuring the Spectrum Scale object protocol, one can use either the install toolkit or the mmuserauth command. The mmuserauth command is for managing the object authentication. Same command is used for File authentication. mmuserauth command has various option like create, list, remove and check. For more details of mmuserauth command please refer manpage of mmuserauth.

    “These are my personal views and do not necessarily reflect that of my employer”

Running Openstack-Keystone under Apache

  1. Install Keystone and Apache(HTTPD) Packages
    [root@deepaknode1 ~]# yum install openstack-keystone openstack-utils openldap-clients python-openstackclient httpd mod_wsgi -y
  2. Copy keystone.py to httpd configuration
    [root@deepaknode1 ~]# mkdir /var/www/cgi-bin/keystone

    [root@deepaknode1 ~]# cp /usr/lib/python2.7/site-packages/keystone/httpd/keystone.py /var/www/cgi-bin/keystone/admin

    [root@deepaknode1 ~]# cp /usr/lib/python2.7/site-packages/keystone/httpd/keystone.py /var/www/cgi-bin/keystone/main

  3. Create /etc/httpd/conf.d/wsgi-keystone.conf with following content
    [root@deepaknode1 ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf
    WSGISocketPrefix /var/run/wsgi
    SetEnv APACHE_RUN_USER keystone
    SetEnv APACHE_RUN_GROUP keystone
    Listen 5000
    <VirtualHost *:5000>
    WSGIDaemonProcess keystone-public user=keystone group=keystone display-name=keystone-public
    WSGIProcessGroup keystone-public
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-public application-group=%{GLOBAL}
    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

    Listen 35357
    <VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin user=keystone group=keystone display-name=keystone-admin
    WSGIProcessGroup keystone-admin
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-admin application-group=%{GLOBAL}
    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

  4. Start httpd service. Make sure openstack-keystone service is not running.
    [root@deepaknode1 ~]# service httpd start
    [root@deepaknode3 ~]# service httpd status
    Redirecting to /bin/systemctl status httpd.service
    …..
    Main PID: 16430 (httpd)
    CGroup: /system.slice/httpd.service
    ├─14749 keystone-public -DFOREGROUND
    ├─14750 keystone-admin -DFOREGROUND
    ├─14755 /usr/sbin/httpd -DFOREGROUND
    ├─14756 /usr/sbin/httpd -DFOREGROUND
    ├─14757 /usr/sbin/httpd -DFOREGROUND
  5. Continue with remaining Openstack-Keystone configuration like database setup, User/Project/Role/Service/Endpoint creation.
    Refer https://deepakrghuge.wordpress.com/2015/10/06/configure-openstack-keystone-for-ibm-spectrum-scale-object-storage/ for remaining setup. Just make sure that use httpd.service to start/stop keystone service instead of openstack-keystone.service

“These are my personal views and do not necessarily reflect that of my employer”

Setting up Openstack Keystone with Kerberos..

Prerequisite :
– Kerberos server(MIT Kerberos)
– Keystone server with Apache (Redhat 7.*)

1. On Kerberos Server

Add/Create new principle for Keystone service with Kerberos server Hostname.

[root@krbserver ~]# kadmin.local 
Authenticating as principal root/admin@PUNE-KDC.COM with password.
kadmin.local: addprinc -randkey HTTP/spectrumscale1
kadmin.local: ktadd -k /tmp/http.keytab HTTP/spectrumscale1

Copy /tmp/http.keytab on Keystone server :/etc/httpd/conf/httpd.keytab

2. On Keystone Server

  1. Install Apache kerberos module
    [root@KeystoneServer ~]# yum install mod_auth_kerb -y

  2. Update wsgi-keystone.conf with Kerberos configuration
    [root@KeystoneServer ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf
    LoadModule auth_kerb_module modules/mod_auth_kerb.so
    WSGISocketPrefix /var/run/wsgi
    SetEnv APACHE_RUN_USER keystone
    SetEnv APACHE_RUN_GROUP keystone
    <VirtualHost *:5000>
    WSGIDaemonProcess keystone-public user=keystone group=keystone display-name=keystone-public
    WSGIProcessGroup keystone-public
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-public application-group=%{GLOBAL}
    WSGIScriptAlias /krb “/var/www/cgi-bin/keystone/main”
    WSGIScriptAlias / “/var/www/cgi-bin/keystone/main”
    <Location “/krb/v3/auth/tokens”>
    LogLevel debug
    AuthType Kerberos
    AuthName “Kerberos Login”
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbServiceName HTTP/spectrumscale1
    KrbAuthRealms PUNE-KDC.COM
    Krb5KeyTab /etc/httpd/conf/httpd.keytab
    KrbLocalUserMapping on
    require valid-user
    </Location>
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

    Listen 35357

    <VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin user=keystone group=keystone display-name=keystone-admin
    WSGIProcessGroup keystone-admin
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-admin application-group=%{GLOBAL}
    WSGIScriptAlias /krb “/var/www/cgi-bin/keystone/admin”
    WSGIScriptAlias / “/var/www/cgi-bin/keystone/admin”
    <Location “/krb/v3/auth/tokens”>
    LogLevel debug
    AuthType Kerberos
    AuthName “Kerberos Login”
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbServiceName HTTP/spectrumscale1
    KrbAuthRealms PUNE-KDC.COM
    Krb5KeyTab /etc/httpd/conf/httpd.keytab
    KrbLocalUserMapping on
    require valid-user
    </Location>
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

  3. Install kerberos client package
    yum install krb5-workstation -y

  4. Configure the Kerberos client(as per your environment)
    [root@KeystoneServer ~]# cat /etc/krb5.conf
    [logging]

    [libdefaults]

    default_realm = PUNE-KDC.COM
    [realms]
    PUNE-KDC.COM = {
    kdc = krbserver.in.ibm.com:88
    admin_server = krbserver.in.ibm.com:749

    }
    [domain_realm]
    in.ibm.com = PUNE-KDC.COM
    .in.ibm.com = PUNE-KDC.COM

  5. Get kerberos token for user
    [root@KeystoneServer ~]# kinit userrw
    Password for userrw@PUNE-KDC.COM:
    [root@KeystoneServer ~]# klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: userrw@PUNE-KDC.COM
    Valid starting Expires Service principal
    2016-02-26T12:17:28 2016-02-27T11:45:15 krbtgt/PUNE-KDC.COM@PUNE-KDC.COM
    renew until 2016-02-26T12:17:28

  6. Curl request for keystone token without username and password
    [root@KeystoneServer ~]# curl -i -H “Content-Type:application/json” –negotiate -u : -d ‘{ “auth”: { “identity”: { “methods”: []}, “scope”: { “project”: { “domain”: { “name”: “Default” }, “name”: “admin” } } } }’ -X POST http://SpectrumScale1:5000/krb/v3/auth/tokens
    HTTP/1.1 401 Unauthorized
    Date: Tue, 01 Mar 2016 07:35:52 GMT
    Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
    WWW-Authenticate: Negotiate
    Content-Length: 381
    Content-Type: text/html; charset=iso-8859-1
    HTTP/1.1 201 Created
    Date: Tue, 01 Mar 2016 07:35:52 GMT
    Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
    X-Subject-Token: MIIHuQYJKoZIhvcNAQcCoIIHVqXmOQZM5KBfGnHhW3FMJW7nXDAELZ0X2s2WO9e6w==
    Vary: X-Auth-Token
    x-openstack-request-id: req-d6738e8b-b9b6-42e7-a615-ae03c8eb563e
    WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvwFfLUoOfh04
    …………
    …………
    3Tg5Ts8goQatVJ5JEnCYqkXIo8Yk5vYB7BWto2FRhDKzcAp75Qqciv6DgT8gnc6
    Content-Length: 1634
    Content-Type: application/json
    {“token”: {“methods”: [], “roles”: [{“id”: “e23776346ab747f4bddf7f056b8d62c9”, “name”: “admin”}], “expires_at”: “2016-03-31T07:35:52.528404Z”, “project”: {“domain”: {“id”: “default”, “name”: “Default”}, “id”: “bb86db4204e84b4b857241a0b23a62fb”, “name”: “admin”}, “catalog”: [{“endpoints”: [{“region_id”: null, “url”: “http://SpectrumScale1:35357/&#8221;, “region”: null, “interface”: “admin”, “id”: “1bd1b57b2cb14e74b5864261588a1e57”}, {“region_id”: null, “url”: “http://SpectrumScale1:35357/&#8221;, “region”: null, “interface”: “internal”, “id”: “43472eb0474d469c90d85a4dc7c6058d”}, {“region_id”: null, “url”: “http://SpectrumScale1:5000/&#8221;, “region”: null, “interface”: “public”, “id”: “6a9c87ec04f3480eb254568b60b8db07”}], “type”: “identity”, “id”: “7a22d7f78b224843811ef0708431eb46”, “name”: “keystone”} “extras”: {}, “user”: {“domain”: {“id”: “default”, “name”: “Default”}, “id”: “userrw”, “name”: “userrw”}, “audit_ids”: [“rcLqPQp5T6y9hKu12Tle2g”], “issued_at”: “2016-03-01T07:35:52.528436Z”}}

    “These are my personal views and do not necessarily reflect that of my employer

Openstack Swift with SSL(https)

Following are the steps to enable ssl for Openstack swift Proxy for secure data transfer between Openstack Swift Proxy server and the swift client.

Prerequisite :
– Set of ssl certificate (CA signed or Locally generated)
– Up and Running Openstack Keystone and Swift.

WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment. 

1. Copy the the ssl certificates under /etc/swift directory on all protocol nodes. Make sure CN in certificate is matching the swift endpoint hostname. In our case it is Node3

2. Swift user must have read permission on certificate files on all protocol nodes
[root@Node3]# ls -al /etc/swift/ssl_*
-rw——-. 1 swift swift 2864 Dec 8 23:56 /etc/swift/ssl_cert.pem
-rw——-. 1 swift swift 887 Dec 8 23:56 /etc/swift/ssl_key.pem

3 Update ssl certificate details in proxy-server.conf
[root@Node3]#mmobj config change –ccrfile proxy-server.conf –section DEFAULT –property key_file –value /etc/swift/ssl_key.pem

[root@Node3]#mmobj config change –ccrfile proxy-server.conf –section DEFAULT –property cert_file –value /etc/swift/ssl_cert.pem

4. Update swift endpoint with https
#content of ~/openrc

[root@Node3 ~]# cat openrc
export OS_AUTH_URL=”http://Node3:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME=”admin”
export OS_PASSWORD=”passw0rd”
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default

[root@Node3 ~] source ~/openrc

Existing swift endpoints look like
[root@Node3 swift]# openstack endpoint list
+———————————-+———–+————–+————–+———+———–
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+———————————-+———–+————–+————–+———+———– |
| 93fa11d1fa7b4622abc857f964676e68 | RegionOne | swift | object-store | True | public | http://Node3:8080/v1/AUTH_%(tenant_id)s |
| 9f271a9d2b14471c8bbad7edca8c4a18 | RegionOne | swift | object-store | True | internal | http://Node3:8080/v1/AUTH_%(tenant_id)s |
| d70496da0a884381a818623ca5b7c501 | RegionOne | swift | object-store | True | admin | http://Node3:8080 |

Change the swift endpoint to https [change the endpoint ID as per your environment]
openstack endpoint set –url ‘https://Node3:8080/v1/AUTH_%(tenant_id)s‘ 93fa11d1fa7b4622abc857f964676e68
openstack endpoint set –url ‘https://Node3:8080/v1/AUTH_%(tenant_id)s‘ 9f271a9d2b14471c8bbad7edca8c4a18
openstack endpoint set –url ‘https://Node3:8080‘ d70496da0a884381a818623ca5b7c501

Updated swift endpoint look like
[root@Node3 swift]# openstack endpoint list
+———————————-+———–+————–+————–+———+———–
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+———————————-+———–+————–+————–+———+———–
| 93fa11d1fa7b4622abc857f964676e68 | RegionOne | swift | object-store | True | public | https://Node3:8080/v1/AUTH_%(tenant_id)s |
| 9f271a9d2b14471c8bbad7edca8c4a18 | RegionOne | swift | object-store | True | internal | https://Node3:8080/v1/AUTH_%(tenant_id)s |
| d70496da0a884381a818623ca5b7c501 | RegionOne | swift | object-store | True | admin | https://Node3:8080 |

5. Sample swift client command
[root@Node3]# swift –os-cacert ssl_cacert.pem stat
Account: AUTH_afcc267ea2c842e59082162118d5047e
Containers: 0
Objects: 0
Bytes: 0
X-Put-Timestamp: 1449638753.75244
X-Timestamp: 1449638753.75244
X-Trans-Id: txe9e7ceb7a31c48e193495-005667bb61
Content-Type: text/plain; charset=utf-8

“These are my personal views and do not necessarily reflect that of my employer”