Bug 1654892

Summary: Enabling SSL/TLS on all endpoints with IDM is missing some steps
Product: Red Hat OpenStack Reporter: Mircea Vutcovici <mircea.vutcovici>
Component: documentationAssignee: Roger Heslop <rheslop>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 13.0 (Queens)CC: mburns, pkesavar, rheslop
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-13 12:56:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mircea Vutcovici 2018-11-29 23:48:04 UTC
Description of problem:
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/#sect-Enabling_Internal_SSLTLS_on_the_Overcloud

In the section: "16.2. Add the undercloud to IdM"

1. There are no details how to generate an OTP (one time password) for ipa_otp field.
We used:
/usr/libexec/novajoin-ipa-setup --principal {{ idm_principal }} --server {{ idm_server }} --realm {{ idm_realm }} --domain {{ idm_domain }} --hostname $(hostname -f) --precreate --password {{ idm_password }}

2. The field "generate_service_certificate" must be set to "true":
generate_service_certificate = true

3. The field "certificate_generation_ca" must be set to IPA.
The value "IPA" is obtained from running "getcert list-cas" command. Like bellow:
[root@undercloud ~]# getcert list-cas
CA 'SelfSign':
	is-default: no
	ca-type: INTERNAL:SELF
	next-serial-number: 01
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/local-submit

4. The field "service_principal" mus be set to: nova/undercloud_FQDN@KERBEROSDOMAIN.COM

5. The following Kerbers principal names must be created:
- nova/undercloud_FQDN@KERBEROSDOMAIN.COM
- openstack/undercloud_FQDN@KERBEROSDOMAIN.COM
They can be created on IDM server with following commands:
ipa service-add nova/undercloud.FQDN
ipa service-add openstack/undercloud.FQDN

Please let me know if you have any questions.

Comment 4 Roger Heslop 2021-10-13 12:56:30 UTC
Checked that currently tested steps that have been requested are either present or have added. These steps have been reviewed by QA and implemented in documentation for OSP 161 and later.le.