Openstack controller does not support mutual TLS authentication?

Openstack clients support mutual TLS authentication with --os-cert and --os-key, but I can’t figure out how to bootstrap where the cloud API requires this. Did I miss something?

Thanks for any suggestions!

If what you are referring to is the Tokenless Authorization with X.509 Client SSL Certificate, I do not believe there is currently charmed support for this as there is no mention of the tokenless_auth config file section within the charm code for Keystone.

However, there are keystone domain subordinates such as keystone-kerberos (for tying into kerberized token authentication) and keystone-saml-mellon (for single sign-on such as google.com and other IDCs). There is also keystone-ldap for tying into AD/LDAP domains, but the keystone-ldap code only supports password authentication as far as I’m aware.

2 Likes