Bug 1953344

Summary: [OPS 16] - RHOSP Director should support changing crypto policy inside containers
Product: Red Hat OpenStack Reporter: Matt Flusche <mflusche>
Component: openstack-tripleoAssignee: OSP Team <rhos-maint>
Status: NEW --- QA Contact: Joe H. Rahme <jhakimra>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16.1 (Train)CC: alee, cmuresan, dhill, dwilde, hrybacki, jjung, mburns, nkinder
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---Flags: hrybacki: needinfo? (nkinder)
jjung: needinfo? (dwilde)
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2064347 (view as bug list) Environment:
Last Closed: 2022-07-11 19:41:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2064347    

Description Matt Flusche 2021-04-25 16:11:20 UTC 
Description of problem:

In this environment, keystone is integrated with active directory via LDAPS.  The LDAP servers are still using 1024 bit SSL keys which require the crypto policy to be set to LEGACY.  The following errors occur in the keystone.log with the DEFAULT crypto policy:

"Verification error: EE certificate key too weak"

A temporary work-around:

# sudo podman exec  keystone update-crypto-policies --set LEGACY
# sudo systemctl restart tripleo_keystone
# sudo podman exec  keystone update-crypto-policies --show
LEGACY

However, this is reverted after overcloud deployment.

Another more permanent work-around:

sudo update-crypto-policies --set LEGACY
sudo cp -fR /etc/crypto-policies /var/lib/config-data/puppet-generated/keystone/etc/
sudo systemctl restart tripleo_keystone 

OSP Director should support changing containers' crypto policy or at least inherit the system's current policy during container startup.


Version-Release number of selected component (if applicable):
16.1

How reproducible:
100%

Steps to Reproduce:
1.see above
Comment 3 Cristian Muresanu 2022-08-19 16:08:23 UTC 
Additional info for the work-around:
~~~
On QA, we did the following steps and it still didn't get LDAPS login working

    sudo podman exec -ti keystone update-crypto-policies --set LEGACY
    sudo podman restart keystone

Then I ended up doing the below step as well and got it working

commented out the following line from /etc/openldap/ldap.conf.

TLS_CACERTDIR /etc/openldap/cacerts
~~~