1140152 – Keystone LDAPS connection using CA certificate

Bug 1140152 - Keystone LDAPS connection using CA certificate

Summary: Keystone LDAPS connection using CA certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	z2
Target Release:	5.0 (RHEL 7)
Assignee:	Nathan Kinder
QA Contact:	Udi Kalifon
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1140819 (view as bug list)
Depends On:
Blocks:	1140829
TreeView+	depends on / blocked

Reported:	2014-09-10 11:29 UTC by Anand Nande
Modified:	2022-07-09 07:08 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-keystone-2014.1.3-1.el7ost
Doc Type:	Bug Fix
Doc Text:	Cause: When using an LDAP backend with the Identity service, the connection to the LDAP server can be encrypted using the LDAPS protocol, or the startTLS operation. The certificate trust configuration settings were only taking effect with the startTLS operation, causing them to be ignored when using the LDAPS protocol. Consequence: Certificate validation errors would be encountered when using the LDAPS protocol to connect to an LDAP server, despite having the proper certificate trust options configured for the Identity service. Fix: The certificate trust options are applied for both the LDAPS protocol and the startTLS operation when using an encrypted connection to an LDAP server. Result: Encrypted connections to an LDAP server work properly with no certificate validation errors.
Clone Of:
Clones:	1140829 (view as bug list)
Environment:
Last Closed:	2014-11-03 08:47:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1209343	None	None	None	Never
OpenStack gerrit	120954	None	None	None	Never
OpenStack gerrit	120959	None	None	None	Never
Red Hat Issue Tracker	OSP-16523	None	None	None	2022-07-09 07:08:32 UTC
Red Hat Knowledge Base (Solution)	1191833	None	None	None	Never
Red Hat Product Errata	RHSA-2014:1790	normal	SHIPPED_LIVE	Important: openstack-keystone security and bug fix update	2014-11-03 13:47:09 UTC

Comment 2 Nathan Kinder 2014-09-10 16:41:39 UTC

This is a valid bug, but it should also be possible to configure the CA certificate trust at the OpenLDAP library level on the Keystone system.

In the '/etc/openldap/ldap.conf' config file, the directory that contains trusted CA certificates is set in the TLS_CACERTDIR setting (which defaults to '/etc/openldap/certs').  There is a NSS database in here, where the certificate can be imported and trusted using the 'certutil' utility.  Has this approach been attempted?

Comment 3 Eric Rich 2014-09-10 17:30:48 UTC

(In reply to Nathan Kinder from comment #2)
> This is a valid bug, but it should also be possible to configure the CA
> certificate trust at the OpenLDAP library level on the Keystone system.
> 
> In the '/etc/openldap/ldap.conf' config file, the directory that contains
> trusted CA certificates is set in the TLS_CACERTDIR setting (which defaults
> to '/etc/openldap/certs').  There is a NSS database in here, where the
> certificate can be imported and trusted using the 'certutil' utility.  Has
> this approach been attempted?

Are you referring to the procedure listed in: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/configuring-keystone-for-ldap-backend.html#configuring-keystone-for-ldap-backend-harden

Does the following import the CA to the keystore (or is that an additional step). 

# openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile CA_FILE

Comment 4 Nathan Kinder 2014-09-10 18:46:11 UTC

(In reply to Eric Rich from comment #3)
> (In reply to Nathan Kinder from comment #2)
>
> Are you referring to the procedure listed in:
> https://access.redhat.com/documentation/en-US/
> Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/
> configuring-keystone-for-ldap-backend.html#configuring-keystone-for-ldap-
> backend-harden

No, this is a separate procedure.

> 
> Does the following import the CA to the keystore (or is that an additional
> step). 
> 
> # openstack-config --set /etc/keystone/keystone.conf ldap tls_cacertfile
> CA_FILE

No, this does not import the certificate into the NSS database.  This command simply edits keystone.conf to add:

------------------------------
[ldap]
...
tls_cacertfile = <CA_FILE>
...
------------------------------

The procedure I mentioned previously is configuring the LDAP libraries on the system to trust a CA cert, which applies for anything using the LDAP libraries (including Keystone).

Comment 6 Stephen Gordon 2014-09-11 18:36:41 UTC

*** Bug 1140819 has been marked as a duplicate of this bug. ***

Comment 7 Nathan Kinder 2014-09-11 20:53:51 UTC

Comment #5 is about a different issue (bug 1058484).  Let's keep the conversation separate from this issue related to CA certificate trust.

Comment 8 Nathan Kinder 2014-09-12 00:06:38 UTC

There are two ways of configuring the CA trust for the OpenLDAP libraries that are used by Keystone:

Method 1:
---------
1 - Copy the file containing your CA certificate chain (in PEM format) to /etc/openldap/certs.

2 - Edit /etc/openldap/ldap.conf and add the following directive:

  TLS_CACERT /etc/openldap/certs/<ca file>

Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.

Method 2:
---------
1 - Use certutil to import and trust your CA certificate chain into the NSS certificate database that is used by the OpenLDAP client libraries:

  certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i <ca file>

Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.

You can use a more appropriate certificate nickname for the '-n' option.  This nickname is used to identity the certificate in the NSS database.

2 - Confirm that the CA certificate was imported correctly:

  certutil -d /etc/openldap/certs -L

Your CA certificate should be listed, and the trust attributes should be set to "CT,,".

Comment 9 Nathan Kinder 2014-09-12 01:04:04 UTC

One more note to add to comment#8 is that the Keystone service needs to be restarted for the changes to take effect.

Comment 10 Nathan Kinder 2014-09-12 01:12:27 UTC

A fix for this has been submitted upstream (for master - Juno):

  https://review.openstack.org/#/c/120954/

Comment 11 Nathan Kinder 2014-09-12 01:19:16 UTC

An upstream backport request for stable/icehouse has been submitted here:

  https://review.openstack.org/120959

Comment 14 Nathan Kinder 2014-10-08 22:55:53 UTC

This was addressed in the upstream 2014.1.3 release.

Comment 16 Udi Kalifon 2014-10-21 19:45:58 UTC

Verified in:
openstack-keystone-2014.1.3-2.el7ost.noarch
python-keystone-2014.1.3-2.el7ost.noarch

Comment 18 errata-xmlrpc 2014-11-03 08:47:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1790.html

Note You need to log in before you can comment on or make changes to this bug.