Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 15. Enabling SSL/TLS on internal and public endpoints with Identity Management

You can enable SSL/TLS on certain overcloud endpoints. Due to the number of certificates required, director integrates with a Red Hat Identity Management (IdM) server to act as a certificate authority and manage the overcloud certificates.

To check the status of TLS support across the OpenStack components, refer to the TLS Enablement status matrix.

15.1. Identity Management (IdM) server recommendations for OpenStack

Red Hat provides the following information to help you integrate your IdM server and OpenStack environment.

For information on preparing Red Hat Enterprise Linux for an IdM installation, see Installing Identity Management.

Run the ipa-server-install command to install and configure IdM. You can use command parameters to skip interactive prompts. Use the following recommendations so that your IdM server can integrate with your Red Hat OpenStack Platform environment:

Table 15.1. Parameter recommendations
OptionRecommendation

--admin-password

Note the value you provide. You will need this password when configuring Red Hat OpenStack Platform to work with IdM.

--ip-address

Note the value you provide. The undercloud and overcloud nodes require network access to this ip address.

--setup-dns

Use this option to install an integrated DNS service on the IdM server. The undercloud and overcloud nodes use the IdM server for domain name resolution.

--auto-forwarders

Use this option to use the addresses in /etc/resolv.conf as DNS forwarders.

--auto-reverse

Use this option to resolve reverse records and zones for the IdM server IP addresses. If neither reverse records or zones are resolvable, IdM creates the reverse zones. This simplifies the IdM deployment.

--ntp-server, --ntp-pool

You can use both or either of these options to configure your NTP source. Both the IdM server and your OpenStack environment must have correct and synchronized time.

You must open the firewall ports required by IdM to enable communication with Red Hat OpenStack Platform nodes. For more information, see Opening the ports required by IdM.

Additional resources

15.2. Implementing TLS-e with Ansible

You can use the new tripleo-ipa method to enable SSL/TLS on overcloud endpoints, called TLS everywhere (TLS-e). Due to the number of certificates required, Red Hat OpenStack Platform integrates with Red Hat Identity management (IdM). When you use tripleo-ipa to configure TLS-e, IdM is the certificate authority.

Prerequisites

Ensure that all configuration steps for the undercloud, such as the creation of the stack user, are complete. For more details, see Director Installation and Usage for more details

Procedure

Use the following procedure to implement TLS-e on a new installation of Red Hat OpenStack Platform, or an existing deployment that you want to configure with TLS-e. You must use this method if you deploy Red Hat OpenStack Platform with TLS-e on pre-provisioned nodes.

Note

If you are implementing TLS-e for an existing environment, you are required to run commands such as openstack undercloud install, and openstack overcloud deploy. These procedures are idempotent and only adjust your existing deployment configuration to match updated templates and configuration files.

  1. Configure the /etc/resolv.conf file:

    Set the appropriate search domains and the nameserver on the undercloud in /etc/resolv.conf. For example, if the deployment domain is example.com, and the domain of the FreeIPA server is bigcorp.com, then add the following lines to /etc/resolv.conf:

    Copy to Clipboard Toggle word wrap 
    search example.com bigcorp.com
nameserver $IDM_SERVER_IP_ADDR

  2. Install required software:

    Copy to Clipboard Toggle word wrap 
    sudo dnf install -y python3-ipalib python3-ipaclient krb5-devel

  3. Export environmental variables with values specific to your environment.:

    Copy to Clipboard Toggle word wrap 
    export IPA_DOMAIN=bigcorp.com
export IPA_REALM=BIGCORP.COM
export IPA_ADMIN_USER=$IPA_USER
export IPA_ADMIN_PASSWORD=$IPA_PASSWORD
export IPA_SERVER_HOSTNAME=ipa.bigcorp.com
export UNDERCLOUD_FQDN=undercloud.example.com
export USER=stack
export CLOUD_DOMAIN=example.com
    Note

    The IdM user credentials must be an administrative user that can add new hosts and services.

  4. Run the undercloud-ipa-install.yaml ansible playbook on the undercloud:

    Copy to Clipboard Toggle word wrap 
    ansible-playbook \
--ssh-extra-args "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \
/usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml

  5. Add the following parameters to undercloud.conf

    Copy to Clipboard Toggle word wrap 
    undercloud_nameservers = $IDM_SERVER_IP_ADDR
overcloud_domain_name = example.com

  6. Deploy the undercloud:

    Copy to Clipboard Toggle word wrap 
    openstack undercloud install

Verification

Verify that the undercloud was enrolled correctly by completing the following steps:

  1. List the hosts in IdM:

    Copy to Clipboard Toggle word wrap 
    $ kinit admin
$ ipa host-find

  2. Confirm that /etc/novajoin/krb5.keytab exists on the undercloud.

    Copy to Clipboard Toggle word wrap 
    ls /etc/novajoin/krb5.keytab
Note

The novajoin directory name is for legacy naming purposes only.

Configuring TLS-e on the overcloud

When you deploy the overcloud with TLS everywhere (TLS-e), IP addresses from the Undercloud and Overcloud will automatically be registered with IdM.

  1. Before deploying the overcloud, create a YAML file tls-parameters.yaml with contents similar to the following. The values you select will be specific for your environment:

    Copy to Clipboard Toggle word wrap 
    parameter_defaults:
    DnsSearchDomains: ["example.com"]
    DnsServers: ["192.168.1.13"]
    CloudDomain: example.com
    CloudName: overcloud.example.com
    CloudNameInternal: overcloud.internalapi.example.com
    CloudNameStorage: overcloud.storage.example.com
    CloudNameStorageManagement: overcloud.storagemgmt.example.com
    CloudNameCtlplane: overcloud.ctlplane.example.com
    IdMServer: freeipa-0.redhat.local
    IdMDomain: redhat.local
    IdMInstallClientPackages: False

resource_registry:
      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml
    • The shown value of the OS::TripleO::Services::IpaClient parameter overrides the default setting in the enable-internal-tls.yaml file. You must ensure the tls-parameters.yaml file follows enable-internal-tls.yaml in the openstack overcloud deploy command.

  2. Deploy the overcloud. You will need to include the tls-parameters.yaml in the deployment command:

    Copy to Clipboard Toggle word wrap 
    DEFAULT_TEMPLATES=/usr/share/openstack-tripleo-heat-templates/
CUSTOM_TEMPLATES=/home/stack/templates

openstack overcloud deploy \
-e ${DEFAULT_TEMPLATES}/environments/ssl/tls-everywhere-endpoints-dns.yaml \
-e ${DEFAULT_TEMPLATES}/environments/services/haproxy-public-tls-certmonger.yaml \
-e ${DEFAULT_TEMPLATES}/environments/ssl/enable-internal-tls.yaml \
-e ${CUSTOM_TEMPLATES}/tls-parameters.yaml \
...

  3. Confirm each endpoint is using HTTPS by querying keystone for a list of endpoints:

    Copy to Clipboard Toggle word wrap 
    openstack endpoint list

15.3. Enrolling nodes in Red Hat Identity Manager (IdM) with novajoin

Novajoin is the default tool that you use to enroll your nodes with Red Hat Identity Manager (IdM) as part of the deployment process. Red Hat recommends the new ansible-based tripleo-ipa solution over the default novajoin solution to configure your undercloud and overcloud with TLS-e. For more information see Implementing TLS-e with Ansible.

You must perform the enrollment process before you proceed with the rest of the IdM integration. The enrollment process includes the following steps:

  1. Adding the undercloud node to the certificate authority (CA)
  2. Adding the undercloud node to IdM
  3. Optional: Setting the IdM server as the DNS server for the overcloud
  4. Preparing the environment files and deploying the overcloud
  5. Testing the overcloud enrollment in IdM and in RHOSP
  6. Optional: Adding DNS entries for novajoin in IdM
Note

IdM enrollment with novajoin is currently only available for the undercloud and overcloud nodes. Novajoin integration for overcloud instances is expected to be supported in a later release.

15.4. Adding the undercloud node to the certificate authority

Before you deploy the overcloud, add the undercloud to the certificate authority (CA) by installing the python3-novajoin package on the undercloud node and running the novajoin-ipa-setup script.

Procedure

  1. On the undercloud node, install the python3-novajoin package:

    Copy to Clipboard Toggle word wrap 
    $ sudo dnf install python3-novajoin

  2. On the undercloud node, run the novajoin-ipa-setup script, and adjust the values to suit your deployment:

    Copy to Clipboard Toggle word wrap 
    $ sudo /usr/libexec/novajoin-ipa-setup \
    --principal admin \
    --password <IdM admin password> \
    --server <IdM server hostname> \
    --realm <realm> \
    --domain <overcloud cloud domain> \
    --hostname <undercloud hostname> \
    --precreate

    Use the resulting One-Time Password (OTP) to enroll the undercloud.

15.5. Adding the undercloud node to Red Hat Identity Manager (IdM)

After you add the undercloud node to the certificate authority (CA), register the undercloud with IdM and configure novajoin. Configure the following settings in the [DEFAULT] section of the undercloud.conf file.

Procedure

  1. Enable the novajoin service:

    Copy to Clipboard Toggle word wrap 
    [DEFAULT]
enable_novajoin = true

  2. Set a One-Time Password (OTP) so that you can register the undercloud node with IdM:

    Copy to Clipboard Toggle word wrap 
    ipa_otp = <otp>

  3. Set the overcloud’s domain name to be served by neutron’s DHCP server:

    Copy to Clipboard Toggle word wrap 
    overcloud_domain_name = <domain>

  4. Set the hostname for the undercloud:

    Copy to Clipboard Toggle word wrap 
    undercloud_hostname = <undercloud FQDN>

  5. Set IdM as the nameserver for the undercloud:

    Copy to Clipboard Toggle word wrap 
    undercloud_nameservers = <IdM IP>

  6. For larger environments, review the novajoin connection timeout values. In the undercloud.conf file, add a reference to a new file called undercloud-timeout.yaml:

    Copy to Clipboard Toggle word wrap 
    hieradata_override = /home/stack/undercloud-timeout.yaml

    Add the following options to undercloud-timeout.yaml. You can specify the timeout value in seconds, for example, 5:

    Copy to Clipboard Toggle word wrap 
    nova::api::vendordata_dynamic_connect_timeout: <timeout value>
nova::api::vendordata_dynamic_read_timeout: <timeout value>

  7. Optional: If you want the local openSSL certificate authority to generate the SSL certificates for the public endpoints in director, set the generate_service_certificate parameter to true:

    Copy to Clipboard Toggle word wrap 
    generate_service_certificate = true
  8. Save the undercloud.conf file.

  9. Run the undercloud deployment command to apply the changes to your existing undercloud:

    Copy to Clipboard Toggle word wrap 
    $ openstack undercloud install

Verification

Verify that the undercloud was enrolled correctly by completing the following steps:

  1. List the hosts in IdM:

    Copy to Clipboard Toggle word wrap 
    $ kinit admin
$ ipa host-find

  2. Confirm that /etc/novajoin/krb5.keytab exists on the undercloud.

    Copy to Clipboard Toggle word wrap 
    ls /etc/novajoin/krb5.keytab

15.6. Setting Red Hat Identity Manager (IdM) as the DNS server for the overcloud

To enable automatic detection of your IdM environment and easier enrollment, set IdM as your DNS server. This procedure is optional but recommended.

Procedure

  1. Connect to your undercloud:

    Copy to Clipboard Toggle word wrap 
    $ source ~/stackrc

  2. Configure the control plane subnet to use IdM as the DNS name server:

    Copy to Clipboard Toggle word wrap 
    $ openstack subnet set ctlplane-subnet --dns-nameserver  <idm_server_address>

  3. Set the DnsServers parameter in an environment file to use your IdM server:

    Copy to Clipboard Toggle word wrap 
    parameter_defaults:
  DnsServers: ["<idm_server_address>"]

    This parameter is usually defined in a custom network-environment.yaml file.

15.7. Preparing environment files and deploying the overcloud with novajoin enrollment

To deploy the overcloud with IdM integration, you create and edit environment files to configure the overcloud to use the custom domain parameters CloudDomain and CloudName based on the domains that you define in the overcloud. You then deploy the overcloud with all the environment files and any additional environment files that you need for the deployment.

Procedure

  1. Create a copy of the /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml environment file:

    Copy to Clipboard Toggle word wrap 
    $ cp /usr/share/openstack-tripleo-heat-templates/environments/predictable-placement/custom-domain.yaml \
  /home/stack/templates/custom-domain.yaml

  2. Edit the /home/stack/templates/custom-domain.yaml environment file and set the CloudDomain and CloudName* values to suit your deployment:

    Copy to Clipboard Toggle word wrap 
    parameter_defaults:
  CloudDomain: lab.local
  CloudName: overcloud.lab.local
  CloudNameInternal: overcloud.internalapi.lab.local
  CloudNameStorage: overcloud.storage.lab.local
  CloudNameStorageManagement: overcloud.storagemgmt.lab.local
  CloudNameCtlplane: overcloud.ctlplane.lab.local

  3. Choose the implementation of TLS appropriate for your environment:

    • Use the enable-tls.yaml environment file to protect external endpoints with your custom certificate:

      1. Copy /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml to /home/stack/templates.
      2. Modify the /home/stack/enable-tls.yaml environment file to include your custom certificate and key.

      3. Include the following environment files in your deployment to protect internal and external endpoints:

        • enable-internal-tls.yaml
        • tls-every-endpoints-dns.yaml
        • custom-domain.yaml

        • enable-tls.yaml

          Copy to Clipboard Toggle word wrap 
          openstack overcloud deploy \
  --templates \
  -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
  -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
  -e /home/stack/templates/custom-domain.yaml \
  -e /home/stack/templates/enable-tls.yaml

    • Use the haproxy-public-tls-certmonger.yaml environment file to protect external endpoints with an IdM issued certificate. For this implementation, you must create DNS entries for the VIP endpoints used by novajoin:

      1. You must create DNS entries for the VIP endpoints used by novajoin. Identify the overcloud networks located in your custom network-environment.yaml file in `/home/stack/templates:

        Copy to Clipboard Toggle word wrap 
        parameter_defaults:
    ControlPlaneDefaultRoute: 192.168.24.1
    ExternalAllocationPools:
    -   end: 10.0.0.149
        start: 10.0.0.101
    InternalApiAllocationPools:
    -   end: 172.17.1.149
        start: 172.17.1.10
    StorageAllocationPools:
    -   end: 172.17.3.149
        start: 172.17.3.10
    StorageMgmtAllocationPools:
    -   end: 172.17.4.149
        start: 172.17.4.10

      2. Create a list of virtual IP addresses for each overcloud network in a heat template, for example, /home/stack/public_vip.yaml.

        Copy to Clipboard Toggle word wrap 
        parameter_defaults:
    ControlFixedIPs: [{'ip_address':'192.168.24.101'}]
    PublicVirtualFixedIPs: [{'ip_address':'10.0.0.101'}]
    InternalApiVirtualFixedIPs: [{'ip_address':'172.17.1.101'}]
    StorageVirtualFixedIPs: [{'ip_address':'172.17.3.101'}]
    StorageMgmtVirtualFixedIPs: [{'ip_address':'172.17.4.101'}]
    RedisVirtualFixedIPs: [{'ip_address':'172.17.1.102'}]

      3. Add DNS entries to the IdM for each of the VIPs, and zones as needed:

        Copy to Clipboard Toggle word wrap 
        ipa dnsrecord-add lab.local overcloud --a-rec 10.0.0.101
ipa dnszone-add ctlplane.lab.local
ipa dnsrecord-add ctlplane.lab.local overcloud --a-rec 192.168.24.101
ipa dnszone-add internalapi.lab.local
ipa dnsrecord-add internalapi.lab.local overcloud --a-rec 172.17.1.101
ipa dnszone-add storage.lab.local
ipa dnsrecord-add storage.lab.local overcloud --a-rec 172.17.3.101
ipa dnszone-add storagemgmt.lab.local
ipa dnsrecord-add storagemgmt.lab.local overcloud --a-rec 172.17.4.101

      4. Include the following environment files in your deployment to protect internal and external endpoints:

        • enable-internal-tls.yaml
        • tls-everywhere-endpoints-dns.yaml
        • haproxy-public-tls-certmonger.yaml
        • custom-domain.yaml

        • public_vip.yaml

          Copy to Clipboard Toggle word wrap 
          openstack overcloud deploy \
  --templates \
   -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
   -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \
   -e /home/stack/templates/custom-domain.yaml \
   -e /home/stack/templates/public-vip.yaml
Note

You cannot use novajoin to implement TLS everywhere (TLS-e) on a pre-existing deployment.

Additional resources

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.