Integrating with Keystone Identity Service
You need to use either an external or an internal Keystone server with the IBM Spectrum Scale™ system to configure an authentication method for object users. This Keystone server works with an external authentication server such as AD or LDAP or with a local database to resolve the authentication requests.
Before you configure authentication for object, ensure that the object services are enabled. To enable object services, use the mmces service enable obj command.
Prerequisites
Ensure that you have the following
details before you start configuring local authentication for object
access:
- Keystone host name must be defined and configured on all protocol nodes of the cluster. This host name returns one of the CES IP addresses, such as a round-robin DNS. It could also be a fixed IP of a load balancer that distributes requests to one of the CES nodes. This host name is also used to create the Keystone endpoints.
- If you want the Keystone server to use external CA signed certificate
for signing the keystone generated tokens, ensure that the following
certificates are available in /var/mmfs/tmp directory
of the node where you run the commands:
- /var/mmfs/tmp/signing_cert.pem
- /var/mmfs/tmp/signing_key.pem
- /var/mmfs/tmp/signing_cacert.pem
Note: By default, the system uses internal self-signed certificate that is generated by keystone-manage pki_setup. - If you want to enable SSL on Keystone, ensure that the following
certificates that are placed on the /var/mmfs/tmp directory
of the node where commands are run:
- /var/mmfs/tmp/ssl_cert.pem
- /var/mmfs/tmp/ssl_key.pem
- /var/mmfs/tmp/ssl_cacert.pem
- /var/mmfs/tmp/ks_ext_cacert.pem
Note: If you are not using external Keystone server, the IBM
Spectrum Scale installation
process by default configures the object authentication with local
authentication as the authentication method.