All public API endpoints are protected by TLS encryption. Internal endpoints can also be encrypted using strong TLS 1.2 encryption. TLS encryption is enabled by default on standard HA deployments of VMware Integrated OpenStack, and is optional on single VM and compact deployments.

To toggle TLS protection for internal endpoints, uncomment the following setting in custom.yml.

#internal_api_protocol: <https|http>

  • To enable encryption, set the value to https.

  • To disable encryption, set the value to http.

To activate the setting, log in as root on the OpenStack Management server and run the following command.

viocli deployment configure

When in-flight encryption is enabled, HAProxy switches from serving as a layer-7 load balancer to serving as a layer-4 load balancer for internal API calls and Horizon traffic. That is, it load balances based on TCP flows rather than HTTP requests. To ensure strong encryption performance, the Apache HTTP server on each controller terminates TLS for each individual OpenStack service. Apache then forwards the request over a local loopback service to the backend service such as Nova, Neutron, or Cinder.

In addition, HAproxy re-encrypts the request when sending it to a backend controller node over the internal network. All API requests flowing over the internal network use TLS version 1.2 with a strong cipher suite.

To adjust the cipher suites for both the public and internal endpoints, modify the following setting in custom.yml:

# haproxy_ssl_default_bind_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA:!aNULL:!MD5:!DSS