Bug 1484390 - Use TLS on the internal network for Keystone
Summary: Use TLS on the internal network for Keystone
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 12.0 (Pike)
Hardware: All
OS: Linux
high
high
Target Milestone: beta
: 12.0 (Pike)
Assignee: John Dennis
QA Contact: Prasanth Anbalagan
URL:
Whiteboard:
Depends On:
Blocks: 1484394 1484481
TreeView+ depends on / blocked
 
Reported: 2017-08-23 12:32 UTC by Juan Antonio Osorio
Modified: 2018-02-05 19:12 UTC (History)
9 users (show)

Fixed In Version: openstack-keystone-12.0.0-0.20170821133709.e2d33c2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1484394 1484481 (view as bug list)
Environment:
Last Closed: 2017-12-13 21:53:35 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Juan Antonio Osorio 2017-08-23 12:32:45 UTC 
As part of the TLS everwhere work: keystone should be listening exclusively with TLS.

Public TLS is already covered (from a client in the external network to HAProxy). But internal communications should be covered as well. These include:

* From clients to internal endpoints in HAProxy (keystone haproxy frontends).
* From HAProxy to the actual keystone server instances.
* client connections that keystone uses to communicate with the database.
* client connections that keystone uses to use the message broker (rabbitmq)
Comment 7 errata-xmlrpc 2017-12-13 21:53:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462
Note You need to log in before you can comment on or make changes to this bug.