For OpenStack having endpoint on HTTPS,
configure the integration of OpenStack
installation with IBM® Cloud Orchestrator.
Before you begin
- If you are integrating with IBM Cloud Manager with OpenStack, ensure that
the version is at least 4.3.0.7.
- If you are integrating with IBM Cloud Manager with OpenStack, configure
all the V3 endpoints to communicate in HTTPS as described at: Configuring IBM Cloud Manager with OpenStack for HTTPS.
- If you are integrating with an externally provided OpenStack, ensure that the level is either
Mitaka or Ocata and that it is already configured with keystone endpoint
on HTTPS.
If you are using a Public Cloud Gateway that is configured with
IBM Cloud
Orchestrator in HTTPS, then run the following script
from the IBM Cloud
Orchestrator installation directory to delete
Public Cloud Gateway HTTP endpoints from keystone:
delete_pcg_endpoints.sh response_file user_name
About this task
This version of IBM Cloud
Orchestrator also supports
integration with OpenStack
Ocata release with keystone endpoint on HTTPS.
This is needed specially when some of the components of the IBM Cloud
Orchestrator are deployed in public data center or cloud, like
described at: https://www.ibm.com/support/knowledgecenter/en/SST55W_4.3.0/liaca/liaca_hybrid_hybrid_cloud.html.
Procedure
- Stop all IBM Cloud
Orchestrator services.
If IBM Cloud
Orchestrator is not configured in high
availability, run the following command from<ICO_Install_Directory>/orchestrator/scorchestrator to stop the services:
./SCOrchestrator.py --stopIf IBM Cloud
Orchestrator is configured in HA, run the following command on
the primary IBM Cloud
Orchestrator node to stop all services:
chrg -o Offline central-services-rg
- For BYOOS Mitaka/ Ocata
OpenStack / IBM Cloud Manager with OpenStack,
copy server.crt from /etc/ssl/certs of master controller
to /tmp of IBM Cloud
Orchestrator node.
Rename server.crt to openstack.crt. For IBM Cloud Manager with OpenStack, see Adding the certificate bundle of IBM Cloud Manager with OpenStack to IBM Cloud Orchestrator Server.
Note: For IBM Cloud
Orchestrator configured in HA, copy the file
to both the IBM Cloud
Orchestrator nodes.
- Now to configure IBM Cloud
Orchestrator to communicate to
the OpenStack endpoints in HTTPS do the following steps:
- Create reconfig folder in IBM Cloud Orchestrator installation directory. By default, it is
/opt/ibm/ico.
- Based on the IBM Cloud Orchestrator installation, copy
ico_reconfigure_for_https_endpoints.sh or
ico_ha_reconfigure_for_https_endpoints.sh script file from
ico_reconfig directory in the installer folder to reconfig
folder.
- For IBM Cloud Orchestrator non-HA installation, run the
following script from reconfig directory:
./ico_reconfigure_for_https_endpoints.sh <Old_Keystone_Hostname>
<New_Keystone_Hostname>
where
<Old_Keystone_Hostname> is the FQDN of the host where the HTTP endpoint is
configured and <New_Keystone_Hostname> is the FQDN of the host where the HTTPS
endpoint is configured. They may be the same if the host is converted rather than substituted.
- For IBM Cloud Orchestrator HA installation, run the following
script from reconfig directory on the primary ICO node:
./ico_ha_reconfigure_for_https_endpoints.sh <Old_Keystone_Hostname>
<New_Keystone_Hostname> <secondary ICO ip/hostname>
- If your <Old_Keystone_Hostname> and
<New_Keystone_Hostname> values are different, then copy the value of
simple_token_secret from /etc/keystone/keystone.conf of the
<Old_Keystone_Hostname> to /etc/keystone/keystone.conf of
<New_Keystone_Hostname>, and restart the keystone service.
- If you are using Public Cloud Gateway (PCG) with IBM Cloud
Orchestrator, then do the following steps on the IBM Cloud
Orchestrator node to configure it. For IBM Cloud
Orchestrator in a HA environment, run the following commands
from the IBM Cloud
Orchestrator Primary Node.
- If the new OpenStack admin password is
different from the IBM Cloud Manager with OpenStack admin password, then update
the new admin password in the admin.json file. Run the following command to
encrypt the current admin password:
encryptPassword.sh <new admin password>
Use the encrypted value to update the admin.json file. For more information
about the script, see Command-line interface scripts.
- Assign the Public Cloud Gateway regions and availability zones to domains and project as
needed.
- Optional: If you upgrade from IBM Cloud
Orchestrator V2.5.0.2 LA0005 or V2.5.0.2 LA0006, then do the
following steps to delete Manage Domain action:
- Log in to IBM Cloud
Orchestrator as administrative
user.
- Go to Configuration > Action Registry.
- Search for Manage Domain action in the registry.
- Delete the action.
- Start all IBM Cloud
Orchestrator services.
What to do next
Import Self-service user interface certificate in an
OpenStack server. For the actual procedure, see
Importing SCUI certificate in an OpenStack Server.