How to setup SSL connection for OpenStack cloud object storage (Swift)?

CloudBacko backup software allows you to backup data to OpenStack cloud object storage (swift). The article aims to show you how to enable the SSL in OpenStack for your backup users.

If you are new to OpenStack, you should check with their documentation on general setup available at http://docs.openstack.org/

If you already have a running OpenStack, you can follow our steps to enable SSL.

Assumptions:

Here are the OpenStack version used in the following examples:

  • OpenStack Havana Series, Release 2013.2.3
  • Swift version: 2.0.2
  • Keystone version: 0.7.1

Here are the values used in the following examples:

  • OpenStack admin user name: admin
  • OpenStack admin user password: admin
  • Tenant (project) name: mybackup
  • Keystone server IP: 10.7.54.7
  • Keystone user authentication URL: https://10.7.54.7:5000/v2.0
  • Keystone admin URL: https://10.7.54.7:35357/v2.0
  • Keystone admin token: 7b05dab9722d44e7b9a82dc0d1ff74ea

Note: The value of the Keystone admin token can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Requirements and preparations:

Please setup the following variables in bash profile and filters in the proxy-server.conf before you setup a tenant (project), user, roles and storage quota etc.

Step 1: Add the environment variable in the .bash_profile

Example (/root/.bash_profile)

----------------------------------------------------------------------------------------------------
    :
    :
  Trimmed
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=https://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=https://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  Trimmed
    :
    :
----------------------------------------------------------------------------------------------------

Please login again for profile to take effect.

Note: The value of the OS_SERVICE_TOKEN can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Step 2: Setup SSL connection for keystone and swift

To setup the SSL certificates, edit the file /etc/keystone/keystone.conf

Assume you have valid certificate files in

/etc/keystone/ssl_cert.pem

/etc/keystone/ssl_key.pem

/etc/keystone/cacert.pem

which

ssl_cert.pem is the public key file,

ssl_key.pem is the private key file, and

cacert.pem is the CA root certificate file.

Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.

Example (/etc/swift/proxy-server.conf)

----------------------------------------------------------------------------------------------------
    :
    :
    :
  Trimmed
    :
    :
    :

[ssl]
enable = True
certfile = /etc/keystone/ssl_cert.pem
keyfile = /etc/keystone/ssl_key.pem
ca_certs = /etc/keystone/cacert.pem

    :
    :
    :
  Trimmed
    :
    :
    :
----------------------------------------------------------------------------------------------------

Step 3: Restart keystone service

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# service openstack-keystone restart
Stopping keystone:                                         [  OK  ]
Starting keystone:                                         [  OK  ]
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 4: List existing service and mark down the id for the swift

It is required to use the ‘–insecure’ switch if an untrusted SSL cert is used.

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+--------------+--------------------------------+
|                id                |    name    |     type     |          description           |
+----------------------------------+------------+--------------+--------------------------------+
| 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer |   metering   |   Openstack Metering Service   |
| 3134116675a8420a88ef01cdcb0c8728 |   cinder   |    volume    |         Cinder Service         |
| b703b91737954d01a2d180f6c3d575ba | cinder_v2  |   volumev2   |       Cinder Service v2        |
| cc787cf0258e46d6a342e1502e7bf6be |   glance   |    image     |    Openstack Image Service     |
| b3af7d0a95d34aa7883629df7a7f7f56 |  keystone  |   identity   |   OpenStack Identity Service   |
| 10f1a022ada246138aba5834e3622a91 |  neutron   |   network    |   Neutron Networking Service   |
| 218b5356d65e4d8382297f72d65c8bbb |    nova    |   compute    |   Openstack Compute Service    |
| a809ad43f380400cb55ff2520bb27ab0 |  nova_ec2  |     ec2      |          EC2 Service           |
| 8b517bd82d4345c895384f9596a29880 |   swift    | object-store | Openstack Object-Store Service |
| 11882e74696547b0ba1e4d276074ae37 |  swift_s3  |      s3      |      Openstack S3 Service      |
+----------------------------------+------------+--------------+--------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------

The swift id is shown in bold.

Step 5: List existing swift service endpoints

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------+---                     ---+----------------------------------+
|                id                |  region   |    ......Trimmed......    |            service_id            |
+----------------------------------+-----------+---                     ---+----------------------------------+
| 00a39b6e21a24562b470b61a1b82902d | RegionOne |  h                     )s | 218b5356d65e4d8382297f72d65c8bbb |
| 047f9c3dd19743e280a553d8a34a9202 | RegionOne |    ......Trimmed......    | 10f1a022ada246138aba5834e3622a91 |
| 2b89407a81574b2c8f0fdef9eefc507a | RegionOne |                           | 5f805cc7df2a43eb90db6fe11ed682f6 |
| 47b6d5974d744c21a04b6ca2781f57a0 | RegionOne |                        )s | b703b91737954d01a2d180f6c3d575ba |
| 485ba5a748fc4f1e865d08774fae8ff7 | RegionOne |                           | b3af7d0a95d34aa7883629df7a7f7f56 |
| 90bb1d878b7045f086e2ada7ce853308 | RegionOne | ht ......Trimmed...... )s | 3134116675a8420a88ef01cdcb0c8728 |
| 9ac0472cb48f49b3b44cb4e3365be01a | RegionOne |                           | 11882e74696547b0ba1e4d276074ae37 |
| a1af6685d3e04e5fa7b71f6c244f1393 | RegionOne | ht                        | 8b517bd82d4345c895384f9596a29880 |
| a9b9c9fbef6a44669788c1946a3c8e48 | RegionOne |                           | cc787cf0258e46d6a342e1502e7bf6be |
| c370061d0cc64386a470a5a0fb01e424 | RegionOne |    ......Trimmed...... n  | a809ad43f380400cb55ff2520bb27ab0 |
+----------------------------------+-----------+---                     ---+----------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Lookup the endpoint for the swift service with the service_id=8b517bd82d4345c895384f9596a29880

Step 6: Delete the insecure swift service endpoint

Delete the service endpoint with the id a1af6685d3e04e5fa7b71f6c244f1393 which can be found in the same row in the swift service.

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-delete a1af6685d3e04e5fa7b71f6c244f1393
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Endpoint has been deleted. 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 7: Recreate the endpoint with https:// instead

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-create --region RegionOne --service-id=8b517bd82d4345c895384f9596a29880 
--publicurl 'https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://10.7.54.7:8080/v1' --internalurl '

https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s'

WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------------------+
|  Property   |                   Value                      |
+-------------+----------------------------------------------+
|  adminurl   |           https://10.7.54.7:8080/v1          |
|     id      |        fb937c038fd34724bd7415fff3ee7736      |
| internalurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|  publicurl  | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|   region    |                 RegionOne                    |
| service_id  |       8b517bd82d4345c895384f9596a29880       |
+-------------+----------------------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 8: Setup the /etc/swift/proxy-server.conf for swift

Edit the file proxy-server.conf , add the contents that are highlighted in red in the below example.

Assume you have valid certificate files in

/etc/swift/ssl_cert.pem

/etc/swift/ssl_key.pem

which

ssl_cert.pem is the public key file, and

ssl_key.pem is the private key file.

Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.

Example (/etc/swift/proxy-server.conf)

----------------------------------------------------------------------------------------------------
# This file is managed by puppet.  Do not edit
#
[DEFAULT]
bind_port = 8080
bind_ip = 10.7.54.7
    :
    :
    :
  Trimmed
    :
    :
    :
cert_file = /etc/swift/ssl_cert.pem
key_file = /etc/swift/ssl_key.pem
    :
    :
    :
  Trimmed
    :
    :
    :

[filter:authtoken]
    :
    :
    :
  Trimmed
    :
    :
    :
auth_protocol = https
auth_uri = https://10.7.54.7:5000
insecure = true
----------------------------------------------------------------------------------------------------

Step 9: Restart the swift related services

Restart the swift related service after you have modified the config file /etc/swift/proxy-server.conf .

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# swift-init main restart
Signal proxy-server  pid: 17166  signal: 15
Signal container-server  pid: 17167  signal: 15
Signal account-server  pid: 17168  signal: 15
Signal object-server  pid: 17169  signal: 15
object-server (17169) appears to have stopped
container-server (17167) appears to have stopped
account-server (17168) appears to have stopped
proxy-server (17166) appears to have stopped
Starting proxy-server...(/etc/swift/proxy-server.conf)
Starting container-server...(/etc/swift/container-server.conf)
Starting account-server...(/etc/swift/account-server.conf)
Starting object-server...(/etc/swift/object-server.conf)
WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment.

[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 10: Test with the swift command

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# swift --insecure stat

       Account: AUTH_49f2482ecff9431bae1d32fa2a004026
    Containers: 8
       Objects: 480
         Bytes: 189030388 
Meta Quota-Bytes: 10737418240
   X-Timestamp: 1412574345.10669
  Content-Type: text/plain; charset=utf-8
 Accept-Ranges: bytes
[root@os ~]#
----------------------------------------------------------------------------------------------------

Backup and Recovery, Without Worries

It is often assumed with cloud backup solutions that your data is safe and secure. It is but you can never be too sure. There is no guarantee that someone won’t hack it or it cannot get infected with a malicious virus. Any kind of problem can arise in your cloud backup data due to negligence. It is important to be vigilant of its protection and security. There are many cloud services available and most of them are free. To choose the best server backup software you need to keep the following considerations in mind:

Accessibility

Storing your data on the cloud means that you should be able to access it from anywhere and anytime. If you are not able to do that, it kills the point for storing it there. Choose a cloud service that will allow you to sync your data with your computer, mobile and other gadgets, in which case you will be able to access it from anywhere even without internet. Web based file management is available on almost all services but not desktop applications.

Security

Cloud computing is as secure as other conventional methods of data storage but data can always be hacked and so it should be protected. You must make sure that the service provider you choose for your cloud storage has security features embedded in order to keep your data safe.

Disaster Recovery

Cloud services come in quite handly when you need to restore lost data. However, your service provider can also face a disaster so you must know in that case how you will be able to get your backup in case you, the service provider are both hit with a data disaster. You should be able to work out all important details with the provider in cases of emergencies as well.

Data Permissions

Often times you can have multiple users assessing your online data. In that case, you need to define who can access the data and who can’t and which data is accessible to the. Data management becomes easier when you know the people who are assessing it and you know which kind of data is being accessed. All this is important in case a problem occurs or something needs to be fixed quickly.

Do you have worry free cloud backup and recovery? Find out more about our cloud backup data services here.

Amazon Vs. Google: Who Wins The Cloud Battle?

There is an epic battle going on between Amazon and Google regarding their cloud services. Anyone related with IT will know its intricacies and understand them. The general consumer who uses cloud on their email will find it difficult to understand the vastness of the cloud and how important it is for both companies. Let’s start with gaining an understanding of what’s really happening.

What Is The Amazon Vs. Google Battle About?

Amazon set foot in the cloud long before Google cloud backup surfaced and is a market leader by a large margin. Amazon started selling cloud services to companies in 2006 and since then it has been able to upgrade, improve and make its services efficient and cost effective. Amazon clearly has many advantages over Google with its cloud services

Even though Google had a late start it had its focus straight. What’s important to understand here is the fact that in the future, cloud will probably become a utility to be sold to companies to store their data. That means the competition for Google and Amazon has become cut throat to get the bigger pie of the IT share of the cloud. Amazon already has big players under its belt such as Netflix and it is no wonder that half the internet faces a crackdown when a part of Amazon’s cloud goes down.

What is In The Cloud For Both Companies?

It is estimated that currently only 13% of the company’s data is stored on the cloud; imagine those numbers growing and the potential of immense profits from the cloud selling services to Amazon and Google. In an effort to increase its market share, Google recently cut back on its prices but Amazon is not far away from doing the same. Since its inception, Amazon has lowered prices of its cloud 42 times. With the ongoing battle and obvious leads that both companies have on their respective clouds, the big question is who will win this battle in the end?

Who Will Ultimately Win?

One factor to consider when comparing the two is who can provide faster services? Both companies are investing heavily in infrastructure. Amazon cloud backup offers cheaper cloud but Google provides services 7 to 9 times faster than Amazon does.

Critics argue that a major factor in Amazon’s lead is the code for the cloud that it specializes in. When Amazon started its cloud services, it also started introducing a separate code to enable cloud compatibility with the different servers. Today, more and more operating systems have the Amazon cloud code making it easier for them to avail Amazon’s services. Amazons estimated revenue for cloud services in 2013 was $3.4 billion. In the end it seems, whatever both companies do, the true consumer of the cloud (big companies) will decide who takes the cloud trophy home!

What is your view about the Amazon vs. Google cloud battle? Find out about our backup solutions here.

CloudBacko releases unlimited free cloud backup solution

CloudBacko just released an unlimited free cloud backup solution, CloudBacko Free. It allow users to combine various free cloud storage services into one big space, thus providing unlimited free cloud storage for backup. It is also the only cloud backup solution that encrypts the filenames as well as the data locally before storing on the cloud.

Combine all cloud storage into one

Nowadays, free cloud storage with only 15-20GB free storage cannot fulfill the needs for backing up large amount of data such as pictures, mp3s, videos, etc. However, as free storage services exist, most users are not willing to spend money on paid cloud storage service. CloudBacko Free is the solution to meet their need by leveraging the free cloud storage services provided by different service providers. CloudBacko Free can combine all the free cloud accounts of a user into one. It is even able to combine multiple accounts of the service provider, thus letting the user to get unlimited cloud space free of charge. One can always add new accounts to the space when needed.

Besides free cloud storage, CloudBacko Free supports popular paid cloud storage services, including Windows Azure, Amazon S3, Google Cloud Storage. FTP, SFTP, and local drive. Thus, it is also suitable for businesses who have no budget allowed to spend on cloud backup.

Filename and content encryption with 256-bit truly randomized key

What makes people skeptical about cloud backup is the security issue, especially after the case of Edward Snowden. One wouldn’t know when the NSA is going to read his/her private data stored on the public cloud storage accounts. CloudBacko clearly understands such concern and guarantees users of unmatched security. All the data and file/folder names are encrypted with 256-bit truly randomized key on the local computer before sending the data to the cloud. That means the backed up data are impossible to be hacked, not even by supercomputer. Thus, no one, not even NSA, is able to read the backed up data.

Backup through web browser

With CloudBacko Free, everything from backup to restore is done through user’s web browser. No software is required. Thus, one can perform backup and restore anytime, anywhere. For those who need to backup to multiple cloud storages to further eliminate the possiblity of data loss, CloudBacko Free allows them to backup to all supported destinations concurrently so that multiple copies of backup can be kept on different cloud or local destinations.

How it works

How to backup Microsoft Hyper-V to Amazon S3 and local drive

Yeah, we are actively working on video demos for all those who are interested in our product. Here’s another one showing you how you can easily backup your Guest Virtual Machine of Microsoft Hyper-V 2012 to Amazon S3 and local drive with the newly released CloudBacko Pro server backup software. Watch it here:

Licensing

With only 1 perpetual license, you can backup “Unlimited” guest virtual machines in 1 Hyper-V host. Download our 30-days free trial at: http://www.cloudbacko.com/en/download-cloudbacko-advanced-cloud-local-server-workstation-amazon-S3-google-backup-software-free-trial.jsp. No credit card or other personal info required.