Enabling x509 Certificates Authentication with OpenNebula Sunstone


This guide will show you how to enable and use the x509 certificates authentication with OpenNebula Sunstone. In this configuration the authentication is delegated to Apache or any SSL capable HTTP Proxy that has to be configured by the administrator. If this certificate is validated the server will encrypt those credentials and will send the token to OpenNebula.

This guide is for OpenNebula 3.2.x version

Configuration Steps


The Sunstone configuration should look like this:

# OpenNebula sever contact information
:one_xmlrpc: http://localhost:2633/RPC2

# Server Configuration
:port: 9869

# Authentication driver for incomming requests
#   sunstone, for OpenNebula's user-password scheme
#   x509, for x509 certificates based authentication
:auth: x509

# Authentication driver to communicate with OpenNebula core
#   cipher, for symmetric cipher encryption of tokens
#   x509, for x509 certificate encryption of tokens
:core_auth: cipher
  • :auth: We have to set this value to x509, therefore Sunstone users will be authenticated using the x509 certificates instead of the default Basic Auth system.

User —→ x509 certificate —→ Sunstone

  • :core_auth: This parameter defines the encryption system for tokens between Sunstone and OpenNebula. In this howto the default method will be used , cipher(symmetric encryption). x509 encryption requires an extended configuration which will be explained at the end of this guide.

Sunstone —→ Symmetric encryption —→ OpenNebula

The serveradmin user must exist in our OpenNebula user pool:

$ oneuser show serveradmin
USER 632 INFORMATION                                                            
ID             : 632                
NAME           : serveradmin         
GROUP          : oneadmin            
PASSWORD       : bdfreqe1ec3cdb94e3fasdffa9fba71e03asfasd676a
AUTH_DRIVER    : server_cipher       
ENABLED        : Yes  
The sunstone_auth file must exist in the following path /var/lib/one/.one/sunstone_auth in the host where Sunstone is running. This file contains the user:passowrd of serveradmin. This user will be used by the server in order to authenticate on behalf of the users that are interacting with OpenNebula through Sunstone.

$ cat /var/lib/one/.one/sunstone_auth

:!: Note that the serveradmin password stored in OpenNebula is hashed, however this file must contain the plain password.

Restart the Sunstone service and open your browser pointing to the Sunstone endpoint. The login screen should not display the username and password fields anymore, as all information is fetched from the user certificate:


Install Apache and enable the following modules:

sudo apt-get install apache2

sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers

Create a new site called opennebula-ssl and place it in the following path /etc/apache2/sites-available/opennebula-ssl. This configuration will:

  • enable SSL: You have to define the paths where the server (SSLCertificateFile, SSLCertificateKeyFile) and CA (SSLCACertificatePath) certificates can be found
  • proxy the request to localhost: You have to define the url where the sunstone server is listenning (ProxyPass ProxyPassReverse)
  • add SSL_CLIENT_* headers: Define the required RequestHeader

The /etc/apache2/sites-available/ path may change depending on the distribution

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    ServerAdmin opennebula@localhost

    ErrorLog  /var/log/apache2/error.log
    CustomLog /var/log/apache2/ssl_access.log combined

    <Proxy *>
        Order deny,allow
        Allow from all

    SSLEngine on

    SSLCertificateFile    /path_to_your_server_cert/cert.pem
    SSLCertificateKeyFile /path_to_your_server_key/pk.pem

    SSLCACertificatePath  /path_to_your_ca/

    SSLVerifyClient require
    SSLVerifyDepth 2

    <Location />
      RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
      RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
      RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
      RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

      ProxyPass        http://localhost:9869/
      ProxyPassReverse http://localhost:9869/

:!: Do not forget to include the RequestHeader lines and enable the module, otherwise the request will be rejected.

Enable this configuration for Apache and restart the service

$ ln -s /etc/apache2/sites-available/opennebula-ssl /etc/apache2/sites-enabled/opennebula-ssl
$ /etc/init.d/apache2 restart

x509 Users

Creating a new user

The user password must contain the user DN, therefore the user must provide this information to the cloud administrator in order to be included in OpenNebula. The user can retrieve this value using the following command on her certificate:

$ openssl x509 -in usercert.pem -noout -subject
subject= /C=ES/ST=MAD/O=ONE/OU=DEV/CN=oneuser

The administrator of the cloud will create a new user using this command:

$ oneuser create OneUser /C=ES/ST=MAD/O=ONE/OU=DEV/CN=oneuser --driver x509

After that the user will be able to login through Sunstone using her own certificate

If you want to allow this user to also use the CLI you have to follow this guide

Updating existing users

If the user already exists her password can be changed using the follwoing command: The administrator of the cloud will create a new user using this command:

$ oneuser passwd OneUser /C=ES/ST=MAD/O=ONE/OU=DEV/CN=oneuser --driver x509

Advanced Configuration

These steps are not required since the authentication between the user and Sunstone is already configured. However, if you want to change the kind of encryption used by Sunstone to send the tokens to OpenNebula, you have to use the following guide. This guide will show you how to enable x509 certificates encryption between Sunstone and OpenNebula.

sunstone_x509 · Last modified: 2012/02/09 11:09 by Daniel Molina
Admin · Login