VMware Integrated OpenStack services support TLS 1.2 with cipher suites ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256 by default. To customize a TLS cipher suite, you use the Kubernetes command-line utility.

Note: If you use choose to configure a security protocol other than TLS, you assume a potential security risk.

The following procedure shows how to add a cipher suite for TLS 1.1 to the VMware Integrated OpenStack Horizon service.

Procedure

  1. Log in to the Integrated OpenStack Manager as the root user. 
    ssh root@mgmt-server-ip
  2. Type the command to configure the Horizon service. 
    osctl edit Horizon
  3. To use TLS 1.1 and add the cipher suite ECDHE-RSA-AES256-SHA384, specify the following configuration. 
    spec:
  conf:
    ssl:
      protocol: TLSv1.1
      ciphersuite: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384
    horizon:
      local_settings:
        config:
          openstack_neutron_network:
  4. Save the configuration.
  5. After the Horizon service restarts, verify the protocol and cipher suite settings.
    1. Type the following command. 
      osctl exec -it <pod-name> bash
    2. Open the configuration file /etc/apache2/mods-enabled/ssl.conf.
    3. To verify settings, look for the keywords SSLProtocol and SSLCipherSuite and check their values.