Bug 2064347 - [OPS 16.2] - RHOSP Director should support changing crypto policy inside containers [NEEDINFO]
Summary: [OPS 16.2] - RHOSP Director should support changing crypto policy inside cont...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 16.2 (Train)
Hardware: x86_64
OS: Linux
urgent
high
Target Milestone: ---
: ---
Assignee: Dave Wilde
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On: 1953344
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-15 15:56 UTC by Siggy Sigwald
Modified: 2022-05-24 14:08 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1953344
Environment:
Last Closed: 2022-05-24 14:08:30 UTC
Target Upstream Version:
Embargoed:
dwilde: needinfo? (ssigwald)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-13956 0 None None None 2022-03-15 16:25:35 UTC

Description Siggy Sigwald 2022-03-15 15:56:53 UTC 
+++ This bug was initially created as a clone of Bug #1953344 +++

Description of problem:

In this environment, keystone is integrated with active directory via LDAPS.  The LDAP servers are still using 1024 bit SSL keys which require the crypto policy to be set to LEGACY.  The following errors occur in the keystone.log with the DEFAULT crypto policy:

"Verification error: EE certificate key too weak"

The temporary work-around for 16.1 is not working for 16.2 as per customer

# sudo podman exec  keystone update-crypto-policies --set LEGACY
# sudo systemctl restart tripleo_keystone
# sudo podman exec  keystone update-crypto-policies --show
LEGACY

OSP Director should support changing containers' crypto policy or at least inherit the system's current policy during container startup.


Version-Release number of selected component (if applicable):
16.2

How reproducible:
100%

Steps to Reproduce:
1.see above
Note You need to log in before you can comment on or make changes to this bug.