Bug 1140152 – Keystone LDAPS connection using CA certificate

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1140152 - Keystone LDAPS connection using CA certificate

Summary:	Keystone LDAPS connection using CA certificate

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone (Show other bugs)
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	z2
Target Release:	5.0 (RHEL 7)
Assigned To:	Nathan Kinder
QA Contact:	Udi
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Duplicates:	1140819 (view as bug list)
Depends On:
Blocks:	1140829
	Show dependency tree / graph

Reported:	2014-09-10 07:29 EDT by Anand Nande
Modified:	2018-02-08 05:22 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	openstack-keystone-2014.1.3-1.el7ost
Doc Type:	Bug Fix
Doc Text:	Cause: When using an LDAP backend with the Identity service, the connection to the LDAP server can be encrypted using the LDAPS protocol, or the startTLS operation. The certificate trust configuration settings were only taking effect with the startTLS operation, causing them to be ignored when using the LDAPS protocol. Consequence: Certificate validation errors would be encountered when using the LDAPS protocol to connect to an LDAP server, despite having the proper certificate trust options configured for the Identity service. Fix: The certificate trust options are applied for both the LDAPS protocol and the startTLS operation when using an encrypted connection to an LDAP server. Result: Encrypted connections to an LDAP server work properly with no certificate validation errors.
Story Points:	---
Clone Of:
Clones:	1140829 (view as bug list)
Environment:
Last Closed:	2014-11-03 03:47:44 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Launchpad	1209343	None	None	None	Never
Red Hat Knowledge Base (Solution)	1191833	None	None	None	Never
OpenStack gerrit	120954	None	None	None	Never
OpenStack gerrit	120959	None	None	None	Never
Red Hat Product Errata	RHSA-2014:1790	normal	SHIPPED_LIVE	Important: openstack-keystone security and bug fix update	2014-11-03 08:47:09 EST

Groups: None (edit)

Comment 2 Nathan Kinder 2014-09-10 12:41:39 EDT

This is a valid bug, but it should also be possible to configure the CA certificate trust at the OpenLDAP library level on the Keystone system.

In the '/etc/openldap/ldap.conf' config file, the directory that contains trusted CA certificates is set in the TLS_CACERTDIR setting (which defaults to '/etc/openldap/certs').  There is a NSS database in here, where the certificate can be imported and trusted using the 'certutil' utility.  Has this approach been attempted?

Comment 3 Eric Rich 2014-09-10 13:30:48 EDT

(In reply to Nathan Kinder from comment #2)
> This is a valid bug, but it should also be possible to configure the CA
> certificate trust at the OpenLDAP library level on the Keystone system.
> 
> In the '/etc/openldap/ldap.conf' config file, the directory that contains
> trusted CA certificates is set in the TLS_CACERTDIR setting (which defaults
> to '/etc/openldap/certs').  There is a NSS database in here, where the
> certificate can be imported and trusted using the 'certutil' utility.  Has
> this approach been attempted?

Are you referring to the procedure listed in: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/configuring-keystone-for-ldap-backend.html#configuring-keystone-for-ldap-backend-harden

Does the following import the CA to the keystore (or is that an additional step). 

# openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile CA_FILE

Comment 4 Nathan Kinder 2014-09-10 14:46:11 EDT

(In reply to Eric Rich from comment #3)
> (In reply to Nathan Kinder from comment #2)
>
> Are you referring to the procedure listed in:
> https://access.redhat.com/documentation/en-US/
> Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/
> configuring-keystone-for-ldap-backend.html#configuring-keystone-for-ldap-
> backend-harden

No, this is a separate procedure.

> 
> Does the following import the CA to the keystore (or is that an additional
> step). 
> 
> # openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile
> CA_FILE

No, this does not import the certificate into the NSS database.  This command simply edits keystone.conf to add:

------------------------------
[ldap]
...
tls_cacertfile = <CA_FILE>
...
------------------------------

The procedure I mentioned previously is configuring the LDAP libraries on the system to trust a CA cert, which applies for anything using the LDAP libraries (including Keystone).

Comment 6 Stephen Gordon 2014-09-11 14:36:41 EDT

*** Bug 1140819 has been marked as a duplicate of this bug. ***

Comment 7 Nathan Kinder 2014-09-11 16:53:51 EDT

Comment #5 is about a different issue (bug 1058484).  Let's keep the conversation separate from this issue related to CA certificate trust.

Comment 8 Nathan Kinder 2014-09-11 20:06:38 EDT

There are two ways of configuring the CA trust for the OpenLDAP libraries that are used by Keystone:

Method 1:
---------
1 - Copy the file containing your CA certificate chain (in PEM format) to /etc/openldap/certs.

2 - Edit /etc/openldap/ldap.conf and add the following directive:

  TLS_CACERT /etc/openldap/certs/<ca file>

Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.

Method 2:
---------
1 - Use certutil to import and trust your CA certificate chain into the NSS certificate database that is used by the OpenLDAP client libraries:

  certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i <ca file>

Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.

You can use a more appropriate certificate nickname for the '-n' option.  This nickname is used to identity the certificate in the NSS database.

2 - Confirm that the CA certificate was imported correctly:

  certutil -d /etc/openldap/certs -L

Your CA certificate should be listed, and the trust attributes should be set to "CT,,".

Comment 9 Nathan Kinder 2014-09-11 21:04:04 EDT

One more note to add to comment#8 is that the Keystone service needs to be restarted for the changes to take effect.

Comment 10 Nathan Kinder 2014-09-11 21:12:27 EDT

A fix for this has been submitted upstream (for master - Juno):

  https://review.openstack.org/#/c/120954/

Comment 11 Nathan Kinder 2014-09-11 21:19:16 EDT

An upstream backport request for stable/icehouse has been submitted here:

  https://review.openstack.org/120959

Comment 14 Nathan Kinder 2014-10-08 18:55:53 EDT

This was addressed in the upstream 2014.1.3 release.

Comment 16 Udi 2014-10-21 15:45:58 EDT

Verified in:
openstack-keystone-2014.1.3-2.el7ost.noarch
python-keystone-2014.1.3-2.el7ost.noarch

Comment 18 errata-xmlrpc 2014-11-03 03:47:44 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1790.html

Note You need to log in before you can comment on or make changes to this bug.