Integrating with Keystone Identity Service

You need to use either an external or an internal Keystone server with the IBM Spectrum Scale™ system to configure an authentication method for object users. This Keystone server works with an external authentication server such as AD or LDAP or with a local database to resolve the authentication requests.

Before you configure authentication for object, ensure that the object services are enabled. To enable object services, use the mmces service enable obj command.

Prerequisites

Ensure that you have the following details before you start configuring local authentication for object access:

Keystone host name must be defined and configured on all protocol nodes of the cluster. This host name returns one of the CES IP addresses, such as a round-robin DNS. It could also be a fixed IP of a load balancer that distributes requests to one of the CES nodes. This host name is also used to create the Keystone endpoints.
If you want the Keystone server to use external CA signed certificate for signing the keystone generated tokens, ensure that the following certificates are available in /var/mmfs/tmp directory of the node where you run the commands:
- /var/mmfs/tmp/signing_cert.pem
- /var/mmfs/tmp/signing_key.pem
- /var/mmfs/tmp/signing_cacert.pem
Note: By default, the system uses internal self-signed certificate that is generated by keystone-manage pki_setup.
If you want to enable SSL on Keystone, ensure that the following certificates that are placed on the /var/mmfs/tmp directory of the node where commands are run:
- /var/mmfs/tmp/ssl_cert.pem
- /var/mmfs/tmp/ssl_key.pem
- /var/mmfs/tmp/ssl_cacert.pem
- /var/mmfs/tmp/ks_ext_cacert.pem

Note: If you are not using external Keystone server, the IBM Spectrum Scale installation process by default configures the object authentication with local authentication as the authentication method.