You can change the cipher suites used by HAProxy and specify whether to encrypt in-flight data transferred between internal endpoints.

All public API endpoints in a VMware Integrated OpenStack deployment can be accessed using TLS 1.1 or 1.2. For HA deployments, traffic between internal endpoints is encrypted using TLS 1.2 only. Because the internal endpoints in a compact or tiny deployment are located on a single virtual machine, traffic between internal endpoints is not encrypted for those deployment types by default.

When internal in-flight encryption is enabled, HAProxy acts as a Layer 4 load balancer instead of a Layer 7 load balancer for internal API calls and Horizon traffic. To ensure strong encryption performance, the Apache HTTP server on each controller terminates TLS for each individual OpenStack service. The Apache server then forwards the request over a local loopback service to the back-end service, such as Nova, Neutron, or Cinder. HAProxy also re-encrypts the request when sending it to a back-end controller node over the internal network.

Procedure

  1. Log in to the OpenStack Management Server as viouser.
  2. If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory.
    sudo mkdir -p /opt/vmware/vio/custom
    sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
  3. Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
  4. Modify encryption settings as desired.
    • To adjust the cipher suites, uncomment the haproxy_ssl_default_bind_ciphers parameter and set its value to the desired cipher suite.
    • To toggle TLS protection for internal endpoints, uncomment the internal_api_protocol parameter and set its value to https (TLS enabled) or http (TLS disabled).
  5. Deploy the updated configuration.
    sudo viocli deployment configure

    Deploying the configuration briefly interrupts OpenStack services.

  6. If you changed the value of the internal_api_protocol parameter, update the Keystone endpoint URL accordingly.
    1. In the vSphere Web Client, select Administration > OpenStack.
      Note: The HTML5 vSphere Client does not currently support this operation. Use the Flex-based vSphere Web Client.
    2. Select the KEYSTONE endpoint and click the Edit (pencil) icon.
    3. In the Update Endpoint section, change the URL to begin with http or https depending on your configuration.
    4. Enter the administrator password and click Update.