Does the OpenStack plugin work with an https keystone endpoint?

[ftcjeff]

I have set up an OpenStack instance (HPE Helion OpenStack) and all of its endpoints are https-based. Does the OpenBaton OpenStack VIM Driver work with that? I received this message when I tried to register the VIM:

ERROR: HTTP status: 422 response data : {"code":"Bad Request","message":"Not listed Images successfully of VimInstance HOS VIM. Caused by: org.openbaton.exceptions.VimDriverException: Received fatal alert: handshake_failure connecting to POST https://10.70.2.27:5000/v2.0/tokens HTTP/1.1"}

Unfortunately I can't access the logs at the moment, but I was wondering if you've run into this before.

[lorenzotomasini]

Hi @ftcjeff

I merged a pull request #3 that disable the check for ssl self signed certificates. This should mean that https is supported. Anyway we are completely relying on the jCloud library so you can have a look in their documentation too.

But we never tried with HPE Openstack, so it could also be a versioning issue.

[ftcjeff]

Okay, thank you @lorenzotomasini. I built this OpenBaton instance yesterday, so it should definitely have that PR included... Weird, I'll keep looking. Thanks!

[ftcjeff]

It looks like the cert check setting is defaulted correctly (at least according to the logs):

[main] DEBUG org.openbaton.clients.interfaces.client.openstack.OpenstackClient - Loading properties [main] DEBUG org.openbaton.clients.interfaces.client.openstack.OpenstackClient - external-properties-file: /etc/openbaton/plugin/openstack/driver.properties doesn't exist [main] DEBUG org.openbaton.clients.interfaces.client.openstack.OpenstackClient - Loaded properties: {external-properties-file=/etc/openbaton/plugin/openstack/driver.properties, type=openstack, disable-ssl-certificate-checks=true, dns-nameserver=8.8.8.8} [main] DEBUG org.openbaton.clients.interfaces.client.openstack.OpenstackClient - Disable SSL certificate checks: true

Here's the stack trace if it helps:

[pool-1-thread-8] DEBUG org.openbaton.clients.interfaces.client.openstack.OpenstackClient - Listing images for VimInstance with name: HOS VIM [pool-1-thread-8] DEBUG org.jclouds.rest.internal.InvokeHttpMethod - >> invoking AuthenticationApi.authenticateWithTenantNameAndCredentials [pool-1-thread-8] DEBUG org.jclouds.http.internal.JavaUrlHttpCommandExecutorService - Sending request 1789330398: POST https://10.70.2.27:5000/v2.0/tokens HTTP/1.1 [pool-1-thread-8] ERROR org.jclouds.http.internal.JavaUrlHttpCommandExecutorService - Command not considered safe to retry because request method is POST: [method=org.jclouds.openstack.keystone.v2_0.AuthenticationApi.public abstract org.jclouds.openstack.keystone.v2_0.domain.Access org.jclouds.openstack.keystone.v2_0.AuthenticationApi.authenticateWithTenantNameAndCredentials(java.lang.String,org.jclouds.openstack.keystone.v2_0.domain.PasswordCredentials)[admin, PasswordCredentials{username=admin, password=*****}], request=POST https://10.70.2.27:5000/v2.0/tokens HTTP/1.1] [pool-1-thread-8] ERROR org.openbaton.clients.interfaces.client.openstack.OpenstackClient - Received fatal alert: handshake_failure connecting to POST https://10.70.2.27:5000/v2.0/tokens HTTP/1.1 org.jclouds.http.HttpResponseException: Received fatal alert: handshake_failure connecting to POST https://10.70.2.27:5000/v2.0/tokens HTTP/1.1 at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(BaseHttpCommandExecutorService.java:117) at org.jclouds.rest.internal.InvokeHttpMethod.invoke(InvokeHttpMethod.java:90) at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:73) at org.jclouds.rest.internal.InvokeHttpMethod.apply(InvokeHttpMethod.java:44) at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:156) at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123) at com.sun.proxy.$Proxy57.authenticateWithTenantNameAndCredentials(Unknown Source) at org.jclouds.openstack.keystone.v2_0.functions.AuthenticatePasswordCredentials.authenticateWithTenantName(AuthenticatePasswordCredentials.java:43) at org.jclouds.openstack.keystone.v2_0.functions.AuthenticatePasswordCredentials.authenticateWithTenantName(AuthenticatePasswordCredentials.java:31) at org.jclouds.openstack.keystone.v2_0.functions.internal.BaseAuthenticator.apply(BaseAuthenticator.java:79) at org.jclouds.openstack.keystone.v2_0.functions.internal.BaseAuthenticator.apply(BaseAuthenticator.java:36) at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:148) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524) 140,2-9 42% at org.jclouds.rest.internal.DelegatesToInvocationFunction.getInstanceOfTypeWithQualifier(DelegatesToInvocationFunction.java:277) at org.jclouds.rest.internal.DelegatesToInvocationFunction.lookupValueFromGuice(DelegatesToInvocationFunction.java:234) at org.jclouds.rest.internal.DelegatesToInvocationFunction.handle(DelegatesToInvocationFunction.java:152) at org.jclouds.rest.internal.DelegatesToInvocationFunction.invoke(DelegatesToInvocationFunction.java:123) at com.sun.proxy.$Proxy67.getConfiguredRegions(Unknown Source) at org.openbaton.clients.interfaces.client.openstack.OpenstackClient.getZone(OpenstackClient.java:213) at org.openbaton.clients.interfaces.client.openstack.OpenstackClient.listImages(OpenstackClient.java:509) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.openbaton.plugin.PluginListener.executeMethod(PluginListener.java:204) at org.openbaton.plugin.PluginListener.run(PluginListener.java:126) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1989) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1096) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1353) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1139) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.writePayloadToConnection(JavaUrlHttpCommandExecutorService.java:294) at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.convert(JavaUrlHttpCommandExecutorService.java:170) at org.jclouds.http.internal.JavaUrlHttpCommandExecutorService.convert(JavaUrlHttpCommandExecutorService.java:64) at org.jclouds.http.internal.BaseHttpCommandExecutorService.invoke(BaseHttpCommandExecutorService.java:95) ... 62 more [pool-1-thread-8] DEBUG org.openbaton.clients.interfaces.client.openstack.OpenstackClient - Answer is: { "exception": { "detailMessage": "Received fatal alert: handshake_failure connecting to POST https://10.70.2.27:5000/v2.0/tokens HTTP/1.1", "stackTrace": [], "suppressedExceptions": [] } }

[ftcjeff]

Any thoughts about this? I can't get past the handshake error. I've looked at some options from a few jclouds boards, but nothing has shown any promise.

ubuntu@openbaton:~$ curl --insecure https://10.70.2.27:5000/v2.0 {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "https://10.70.2.27:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

ubuntu@openbaton:~$ curl --insecure https://10.70.2.27:5000/v3 {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "https://10.70.2.27:5000/v3/", "rel": "self"}]}}

[gc4rella]

have you tried downloading and installing the certificate in the local JVM? usually that's done via keytool and it is needed unless disabling completely security mechanisms..

[ftcjeff]

I believe so! I keytool --imported what I believe is the correct certificate.

[KarthiAG]

Hi. Even I too face the same issue. Is this issue resolved by any chance?