[Upgrade] Reconfiguring OpenStack having keystone endpoint on HTTPS

For OpenStack having endpoint on HTTPS, configure the integration of OpenStack installation with IBM® Cloud Orchestrator.

1. Stop all IBM Cloud Orchestrator services.

   If IBM Cloud Orchestrator is not configured in high availability, run the following command from<ICO_Install_Directory>/orchestrator/scorchestrator to stop the services:

   ./SCOrchestrator.py --stop

   If IBM Cloud Orchestrator is configured in HA, run the following command on the primary IBM Cloud Orchestrator node to stop all services:

   chrg -o Offline central-services-rg

2. For BYOOS Mitaka/ Ocata OpenStack / IBM Cloud Manager with OpenStack, copy server.crt from /etc/ssl/certs of master controller to /tmp of IBM Cloud Orchestrator node. Rename server.crt to openstack.crt. For IBM Cloud Manager with OpenStack, see Adding the certificate bundle of IBM Cloud Manager with OpenStack to IBM Cloud Orchestrator Server.
   Note: For IBM Cloud Orchestrator configured in HA, copy the file to both the IBM Cloud Orchestrator nodes.
3. Now to configure IBM Cloud Orchestrator to communicate to the OpenStack endpoints in HTTPS do the following steps:
   1. Create reconfig folder in IBM Cloud Orchestrator installation directory. By default, it is /opt/ibm/ico.
   2. Based on the IBM Cloud Orchestrator installation, copy ico_reconfigure_for_https_endpoints.sh or ico_ha_reconfigure_for_https_endpoints.sh script file from ico_reconfig directory in the installer folder to reconfig folder.
   3. For IBM Cloud Orchestrator non-HA installation, run the following script from reconfig directory:
      ./ico_reconfigure_for_https_endpoints.sh <Old_Keystone_Hostname> <New_Keystone_Hostname>
      where <Old_Keystone_Hostname> is the FQDN of the host where the HTTP endpoint is configured and <New_Keystone_Hostname> is the FQDN of the host where the HTTPS endpoint is configured. They may be the same if the host is converted rather than substituted.
   4. For IBM Cloud Orchestrator HA installation, run the following script from reconfig directory on the primary ICO node:
      ./ico_ha_reconfigure_for_https_endpoints.sh <Old_Keystone_Hostname> <New_Keystone_Hostname> <secondary ICO ip/hostname>
4. If your <Old_Keystone_Hostname> and <New_Keystone_Hostname> values are different, then copy the value of simple_token_secret from /etc/keystone/keystone.conf of the <Old_Keystone_Hostname> to /etc/keystone/keystone.conf of <New_Keystone_Hostname>, and restart the keystone service.
5. If you are using Public Cloud Gateway (PCG) with IBM Cloud Orchestrator, then do the following steps on the IBM Cloud Orchestrator node to configure it. For IBM Cloud Orchestrator in a HA environment, run the following commands from the IBM Cloud Orchestrator Primary Node.
   1. If the new OpenStack admin password is different from the IBM Cloud Manager with OpenStack admin password, then update the new admin password in the admin.json file. Run the following command to encrypt the current admin password:

      encryptPassword.sh <new admin password>

      Use the encrypted value to update the admin.json file. For more information about the script, see Command-line interface scripts.

   2. Assign the Public Cloud Gateway regions and availability zones to domains and project as needed.
6. Optional: If you upgrade from IBM Cloud Orchestrator V2.5.0.2 LA00​05 or V2.5.0.2 LA00​06, then do the following steps to delete Manage Domain action:
   1. Log in to IBM Cloud Orchestrator as administrative user.
   2. Go to Configuration > Action Registry.
   3. Search for Manage Domain action in the registry.
   4. Delete the action.
7. Start all IBM Cloud Orchestrator services.