Chapter 18. Identity in OpenStack Security Guide -> Service Authorization  - current - confusing paragraph

Section: Service Authorizationt, last paragraph

This paragraph is confusing or at least awkward. It could be more precise:

For client authentication with SSL, you need to issue certificates. These certificates can be signed by an external authority or by the cloud administrator. OpenStack services by default check the signatures of certificates and connections fail if the signature cannot be checked. If the administrator uses self-signed certificates, the check might need to be disabled. To disable these certificates, set insecure=False in the [filter:authtoken] section in the /etc/nova/api.paste.ini file. This setting also disables certificates for other components.

Consider the following:

Client authentication with SSL requires certificates be issued to services. These certificates can be signed by an external or internal certificate authority. OpenStack services check the validity of certificate signatures against trusted CAs by default and connections will fail if the signature is not valid or the CA is not trusted. Cloud deployers may use self-signed certificates. In this case, the validity check must disabled or the certificate marked as trusted. To disable validation of self-signed certificates set insecure=False in the [filter:authtoken] section of the /etc/nova/api-paste.ini file. This setting also disables certificate validity checks for other components.

-----------------------------------
Built: 2014-07-15T19:04:54 00:00
git SHA: f7711cc343e504283676dfe43afae6faa9046fd7
URL: http://docs.openstack.org/security-guide/content/identity.html
source File: file:/home/jenkins/workspace/security-doc-tox-doc-publishdocs/security-guide/ch_identity.xml
xml:id: identity