Description of problem: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/#sect-Enabling_Internal_SSLTLS_on_the_Overcloud In the section: "16.2. Add the undercloud to IdM" 1. There are no details how to generate an OTP (one time password) for ipa_otp field. We used: /usr/libexec/novajoin-ipa-setup --principal {{ idm_principal }} --server {{ idm_server }} --realm {{ idm_realm }} --domain {{ idm_domain }} --hostname $(hostname -f) --precreate --password {{ idm_password }} 2. The field "generate_service_certificate" must be set to "true": generate_service_certificate = true 3. The field "certificate_generation_ca" must be set to IPA. The value "IPA" is obtained from running "getcert list-cas" command. Like bellow: [root@undercloud ~]# getcert list-cas CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-submit CA 'certmaster': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/certmaster-submit CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit 4. The field "service_principal" mus be set to: nova/undercloud_FQDN 5. The following Kerbers principal names must be created: - nova/undercloud_FQDN - openstack/undercloud_FQDN They can be created on IDM server with following commands: ipa service-add nova/undercloud.FQDN ipa service-add openstack/undercloud.FQDN Please let me know if you have any questions.
Checked that currently tested steps that have been requested are either present or have added. These steps have been reviewed by QA and implemented in documentation for OSP 161 and later.le.