You can change the cipher suites used by HAProxy and specify whether to encrypt in-flight data transferred between internal endpoints.

All public API endpoints in a VMware Integrated OpenStack deployment use TLS encryption. For HA deployments, traffic between internal endpoints is also encrypted using TLS 1.2. Because the internal endpoints in a compact or tiny deployment are located on a single virtual machine, traffic between internal endpoints is not encrypted for those deployment types by default.

When internal in-flight encryption is enabled, HAProxy acts as a Layer 4 load balancer instead of a Layer 7 load balancer for internal API calls and Horizon traffic. To ensure strong encryption performance, the Apache HTTP server on each controller terminates TLS for each individual OpenStack service. The Apache server then forwards the request over a local loopback service to the backend service, such as Nova, Neutron, or Cinder. HAProxy also re-encrypts the request when sending it to a backend controller node over the internal network.

Procedure

  1. Log in to the OpenStack Management Server.
  2. If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory.
    sudo mkdir -p /opt/vmware/vio/custom
    sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
  3. Open the /opt/vmware/vio/custom/custom.yml file in a text editor and make the desired changes.
    • To adjust the cipher suites, uncomment the haproxy_ssl_default_bind_ciphers parameter and set its value to the desired cipher suite. This setting affects both public and internal endpoints.

    • To toggle TLS protection for internal endpoints, uncomment the internal_api_protocol parameter and set its value to https (TLS enabled) or http (TLS disabled).

  4. Deploy the updated configuration.
    sudo viocli deployment configure

    Deploying the configuration briefly interrupts OpenStack services.

  5. If you changed the value of the internal_api_protocol parameter, update the Keystone endpoint URL accordingly.
    1. In the vSphere Web Client, select Administration > OpenStack.
    2. Select the KEYSTONE endpoint and click the Edit (pencil) icon.
    3. In the Update Endpoint section, change the URL to begin with http or https depending on your configuration.
    4. Enter the administrator password and click Update.