Bug 1654892 - Enabling SSL/TLS on all endpoints with IDM is missing some steps
Summary: Enabling SSL/TLS on all endpoints with IDM is missing some steps
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 13.0 (Queens)
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: Roger Heslop
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-29 23:48 UTC by Mircea Vutcovici
Modified: 2021-10-13 12:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-13 12:56:30 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Mircea Vutcovici 2018-11-29 23:48:04 UTC
Description of problem:
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/#sect-Enabling_Internal_SSLTLS_on_the_Overcloud

In the section: "16.2. Add the undercloud to IdM"

1. There are no details how to generate an OTP (one time password) for ipa_otp field.
We used:
/usr/libexec/novajoin-ipa-setup --principal {{ idm_principal }} --server {{ idm_server }} --realm {{ idm_realm }} --domain {{ idm_domain }} --hostname $(hostname -f) --precreate --password {{ idm_password }}

2. The field "generate_service_certificate" must be set to "true":
generate_service_certificate = true

3. The field "certificate_generation_ca" must be set to IPA.
The value "IPA" is obtained from running "getcert list-cas" command. Like bellow:
[root@undercloud ~]# getcert list-cas
CA 'SelfSign':
	is-default: no
	ca-type: INTERNAL:SELF
	next-serial-number: 01
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/local-submit

4. The field "service_principal" mus be set to: nova/undercloud_FQDN@KERBEROSDOMAIN.COM

5. The following Kerbers principal names must be created:
- nova/undercloud_FQDN@KERBEROSDOMAIN.COM
- openstack/undercloud_FQDN@KERBEROSDOMAIN.COM
They can be created on IDM server with following commands:
ipa service-add nova/undercloud.FQDN
ipa service-add openstack/undercloud.FQDN

Please let me know if you have any questions.

Comment 4 Roger Heslop 2021-10-13 12:56:30 UTC
Checked that currently tested steps that have been requested are either present or have added. These steps have been reviewed by QA and implemented in documentation for OSP 161 and later.le.


Note You need to log in before you can comment on or make changes to this bug.