Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2064347

Summary: [OPS 16.2] - RHOSP Director should support changing crypto policy inside containers
Product: Red Hat OpenStack Reporter: Siggy Sigwald <ssigwald>
Component: openstack-keystoneAssignee: Dave Wilde <dwilde>
Status: CLOSED NOTABUG QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: urgent    
Version: 16.2 (Train)CC: alee, astupnik, dwilde, jhakimra, jslagle, mburns, mflusche, oblaut, sukar, tkajinam
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1953344 Environment:
Last Closed: 2022-05-24 14:08:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1953344    
Bug Blocks:    

Description Siggy Sigwald 2022-03-15 15:56:53 UTC 
+++ This bug was initially created as a clone of Bug #1953344 +++

Description of problem:

In this environment, keystone is integrated with active directory via LDAPS.  The LDAP servers are still using 1024 bit SSL keys which require the crypto policy to be set to LEGACY.  The following errors occur in the keystone.log with the DEFAULT crypto policy:

"Verification error: EE certificate key too weak"

The temporary work-around for 16.1 is not working for 16.2 as per customer

# sudo podman exec  keystone update-crypto-policies --set LEGACY
# sudo systemctl restart tripleo_keystone
# sudo podman exec  keystone update-crypto-policies --show
LEGACY

OSP Director should support changing containers' crypto policy or at least inherit the system's current policy during container startup.


Version-Release number of selected component (if applicable):
16.2

How reproducible:
100%

Steps to Reproduce:
1.see above
Comment 9 Red Hat Bugzilla 2023-09-15 01:52:45 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days