Comment 0 for bug 1520339

We are not configuring nss as part of the rgw installation when relating with keystone. The consequence is that the RGW is unable to retrieve a list of revoked tokens from keystone and thus cannot remove revoked tokens from its cache. Keystone always encodes and signs the response from .../v2.0/tokens/revoked so we need to configure the 'nss db path'.

More info at http://docs.openstack.org/developer/keystone/api_curl_examples.html#get-tokens-revoked

Also at http://docs.ceph.com/docs/v0.80/radosgw/config/#integrating-with-openstack-keystone