HP HPE VAN SDN Controller 2.7 - Keystone Controller Configuration; Security

231 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Keystone controller configuration

The following Keystone controller configuration is set in the controller UI Configurations screen

in the System tab under the com.hp.sdn.adm.auth.impl.AuthenticationManager

component. The keys are described as follows:

AdminToken – Keystone admin token.

ConnPoolEvictPeriod – Keystone idle connection clean-up cycle in milliseconds. Minimum

is 100.

ConnPoolMaxActive – Keystone maximum active connections. Minimum is 1.

ConnPoolMaxIdle – Keystone maximum idle connections. Minimum is 1.

ConnPoolMinIdleTime – Keystone minimum idle connection time in milliseconds. Minimum

is 1000.

ConnSSLClientAuth – Keystone mutual authentication using TLS.

ConnTimeout – Keystone connection timeout in milliseconds. Minimum is 0.

Keystore – Keystone keystore location.

KeystorePass – Keystone keystore password.

MaxCachedTokens – Maximum number of cached tokens. Minimum is 0.

PKICertsDownloadHour – Hour in a 24 hour day (0-23) when PKI certificates download form

the Keystore server occur.

PKICertsPath – Keystone PKI (signing and CA) certificates location.

RevListPollPeriod – Keystone PKI revocation list poll interval in seconds.

ServerPort – Keystone server port.

ServerVIP – Keystone server virtual IP.

ServiceRole – Role for shared secret.

ServiceTenant – Tenant (project) for shared secret.

ServiceToken – Shared secret for internal requests.

ServiceTokenTimeout – Timeout for shared secret, 0 for never. Minimum is 1.

ServiceUser – User for shared secret.

Tenant – Keystone tenant (only a single tenant is supported).

TokenProvider – Keystone token provider (Auto-Detect | PKI | PKIZ | UUID)

Truststore – Keystone truststore location.

TruststorePass – Keystone truststore password.

UserRole – Keystone user role (only a single role is supported. Only a user having this role is

allowed access to the controller.

For information on Keystone, see the OpenStack Keystone documentation at http://

docs.openstack.org/developer/keystone/.

Security

Since tokens for either providers (UUID, PKI, or PKIZ) are bearer tokens, they should be protected

by using mutually authenticated TLS. This can be accomplished by using valid PKI transport

configuration as described in “Changing the default controller keystore and truststore to use CA

signed certificates” (page 110):

REST authentication 117

Table of Contents

Related product manuals

Preview: HP HPE MR Gen11

HP HPE MR Gen11

Preview: HP P420

Preview: HP 4400

Preview: HP MSM7XX

Preview: HP MSM720

Preview: HP E-MSM720

Preview: HP MR Gen10 Plus

HP MR Gen10 Plus

Preview: HP 9000 300 Series

HP 9000 300 Series

Preview: HP Smart Array P830

HP Smart Array P830

Preview: HP Smart Array P800

HP Smart Array P800

Preview: HP StorageWorks P2000

HP StorageWorks P2000