Bug 1484390

Summary: Use TLS on the internal network for Keystone
Product: Red Hat OpenStack Reporter: Juan Antonio Osorio <josorior>
Component: openstack-keystoneAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Prasanth Anbalagan <panbalag>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: dbecker, kbasil, mburns, morazi, nkinder, panbalag, rhel-osp-director-maint, srevivo, tvignaud
Target Milestone: betaKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-keystone-12.0.0-0.20170821133709.e2d33c2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1484394 1484481 (view as bug list) Environment:
Last Closed: 2017-12-13 21:53:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1484394, 1484481    

Description Juan Antonio Osorio 2017-08-23 12:32:45 UTC 
As part of the TLS everwhere work: keystone should be listening exclusively with TLS.

Public TLS is already covered (from a client in the external network to HAProxy). But internal communications should be covered as well. These include:

* From clients to internal endpoints in HAProxy (keystone haproxy frontends).
* From HAProxy to the actual keystone server instances.
* client connections that keystone uses to communicate with the database.
* client connections that keystone uses to use the message broker (rabbitmq)
Comment 7 errata-xmlrpc 2017-12-13 21:53:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462