1953344 – [OPS 16] - RHOSP Director should support changing crypto policy inside containers

Bug 1953344 - [OPS 16] - RHOSP Director should support changing crypto policy inside containers [NEEDINFO]

Summary: [OPS 16] - RHOSP Director should support changing crypto policy inside contai...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo
Sub Component:
Version:	16.1 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	OSP Team
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2064347
TreeView+	depends on / blocked

Reported:	2021-04-25 16:11 UTC by Matt Flusche
Modified:	2023-01-31 18:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2064347 (view as bug list)
Environment:
Last Closed:	2022-07-11 19:41:54 UTC
Target Upstream Version:
Embargoed:
Flags:	hrybacki: needinfo? (nkinder) jjung: needinfo? (dwilde)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	860124	None	NEW	Allow an operator to change the crypto policies	2022-10-03 19:53:50 UTC
OpenStack gerrit	860128	None	NEW	Allow an operator to change crypto policies	2022-10-03 19:54:10 UTC
Red Hat Issue Tracker	OSP-3299	None	None	None	2022-03-10 23:18:07 UTC

Description Matt Flusche 2021-04-25 16:11:20 UTC

Description of problem:

In this environment, keystone is integrated with active directory via LDAPS.  The LDAP servers are still using 1024 bit SSL keys which require the crypto policy to be set to LEGACY.  The following errors occur in the keystone.log with the DEFAULT crypto policy:

"Verification error: EE certificate key too weak"

A temporary work-around:

# sudo podman exec  keystone update-crypto-policies --set LEGACY
# sudo systemctl restart tripleo_keystone
# sudo podman exec  keystone update-crypto-policies --show
LEGACY

However, this is reverted after overcloud deployment.

Another more permanent work-around:

sudo update-crypto-policies --set LEGACY
sudo cp -fR /etc/crypto-policies /var/lib/config-data/puppet-generated/keystone/etc/
sudo systemctl restart tripleo_keystone 

OSP Director should support changing containers' crypto policy or at least inherit the system's current policy during container startup.


Version-Release number of selected component (if applicable):
16.1

How reproducible:
100%

Steps to Reproduce:
1.see above

Comment 3 Cristian Muresanu 2022-08-19 16:08:23 UTC

Additional info for the work-around:
~~~
On QA, we did the following steps and it still didn't get LDAPS login working

    sudo podman exec -ti keystone update-crypto-policies --set LEGACY
    sudo podman restart keystone

Then I ended up doing the below step as well and got it working

commented out the following line from /etc/openldap/ldap.conf.

TLS_CACERTDIR /etc/openldap/cacerts
~~~

Note You need to log in before you can comment on or make changes to this bug.