diff --git a/README.rst b/README.rst
index 3e8decc..99a4ffe 100644
--- a/README.rst
+++ b/README.rst
@@ -59,7 +59,7 @@
             multihost: true
             multipath: true
             pool: SAS7K2
-        audit: 
+        audit:
           enabled: false
         osapi_max_limit: 500
 
@@ -161,6 +161,62 @@
           virtual_host: '/openstack'
         ....
 
+
+**Client-side RabbitMQ TLS configuration.**
+
+|
+
+To enable TLS for oslo.messaging you need to provide the CA certificate.
+By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+  cinder:
+    controller or volume:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+
+
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+  cinder:
+    controller or volume:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+  cinder:
+    controller or volume:
+      ....
+      message_queue:
+        ssl:
+          enabled: True
+          cacert: |
+
+          -----BEGIN CERTIFICATE-----
+                    ...
+          -----END CERTIFICATE-------
+
+          cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
+
+
 Cinder setup with zeroing deleted volumes
 
 .. code-block:: yaml
@@ -440,7 +496,7 @@
             type_name: GPFS-SILVER
             engine: gpfs
             mount_point: '/mnt/gpfs-openstack/cinder/silver'
-  
+
 Cinder setup with HP LeftHand
 
 .. code-block:: yaml
@@ -462,7 +518,7 @@
 
 .. code-block:: yaml
 
-    cinder type-key normal-storage set hplh:data_pl=r-10-2 hplh:provisioning=full 
+    cinder type-key normal-storage set hplh:data_pl=r-10-2 hplh:provisioning=full
 
 Cinder setup with Solidfire
 
@@ -527,7 +583,7 @@
           ceph_user: cinder
           ceph_chunk_size: 134217728
           restore_discard_excess_bytes: false
-          
+
 Enable auditing filter, ie: CADF
 
 .. code-block:: yaml
diff --git a/cinder/controller.sls b/cinder/controller.sls
index 8a810de..05c3c99 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller with context %}
+{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
 {%- if controller.get('enabled', False) %}
 
 {%- set user = controller %}
@@ -63,6 +63,9 @@
   - onlyif: /bin/false
   {%- endif %}
   - watch:
+    {%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
+    - file: rabbitmq_ca
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
     - file: /etc/apache2/conf-available/cinder-wsgi.conf
@@ -77,6 +80,9 @@
   - onlyif: /bin/false
   {%- endif %}
   - watch:
+    {%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
+    - file: rabbitmq_ca
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
@@ -102,6 +108,9 @@
   - onlyif: /bin/false
   {%- endif %}
   - watch:
+    {%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
+    - file: rabbitmq_ca
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
@@ -114,7 +123,6 @@
   - require:
     - service: cinder_controller_services
 
-{# new way #}
 {%- if not grains.get('noservices', False) %}
 
 {%- for backend_name, backend in controller.get('backend', {}).iteritems() %}
@@ -165,28 +173,6 @@
 
 {%- endif %}
 
-{# old way #}
-
-{% for type in controller.get('types', []) %}
-
-cinder_type_create_{{ type.name }}:
-  cmd.run:
-  - name: "source /root/keystonerc; cinder type-create {{ type.name }}"
-  - unless: "source /root/keystonerc; cinder type-list | grep {{ type.name }}"
-  - shell: /bin/bash
-  - require:
-    - service: cinder_controller_services
-
-cinder_type_update_{{ type.name }}:
-  cmd.run:
-  - name: "source /root/keystonerc; cinder type-key {{ type.name }} set volume_backend_name={{ type.get('backend', type.name) }}"
-  - unless: "source /root/keystonerc; cinder extra-specs-list | grep \"{u'volume_backend_name': u'{{ type.get('backend', type.name) }}'}\""
-  - shell: /bin/bash
-  - require:
-    - cmd: cinder_type_create_{{ type.name }}
-
-{% endfor %}
-
 {%- if controller.backup.engine != None %}
 
 cinder_backup_packages:
@@ -198,9 +184,26 @@
   - names: {{ controller.backup.services }}
   - enable: true
   - watch:
+    {%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
+    - file: rabbitmq_ca
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
 {%- endif %}
 
+{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if controller.message_queue.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ controller.message_queue.ssl.cacert_file }}
+    - contents_pillar: cinder:controller:message_queue:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ controller.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
 {%- endif %}
diff --git a/cinder/files/mitaka/cinder.conf.controller.Debian b/cinder/files/mitaka/cinder.conf.controller.Debian
index b1ba8c2..2fd4277 100644
--- a/cinder/files/mitaka/cinder.conf.controller.Debian
+++ b/cinder/files/mitaka/cinder.conf.controller.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller with context %}
+{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
 
 [DEFAULT]
 rootwrap_config = /etc/cinder/rootwrap.conf
@@ -122,14 +122,31 @@
 lock_path=/var/lock/cinder
 
 [oslo_messaging_rabbit]
+{%- set rabbit_port = controller.message_queue.get('port', 5671 if controller.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if controller.message_queue.members is defined %}
 rabbit_hosts = {% for member in controller.message_queue.members -%}
-                   {{ member.host }}:{{ member.get('port', 5672) }}
+                   {{ member.host }}:{{ member.get('port',rabbit_port) }}
                    {%- if not loop.last -%},{%- endif -%}
                {%- endfor -%}
 {%- else %}
 rabbit_host = {{ controller.message_queue.host }}
-rabbit_port = {{ controller.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if controller.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ controller.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if controller.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
 {%- endif %}
 
 rabbit_userid = {{ controller.message_queue.user }}
diff --git a/cinder/files/mitaka/cinder.conf.volume.Debian b/cinder/files/mitaka/cinder.conf.volume.Debian
index 5eee92a..8e90e4d 100644
--- a/cinder/files/mitaka/cinder.conf.volume.Debian
+++ b/cinder/files/mitaka/cinder.conf.volume.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume with context %}
+{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
 
 [DEFAULT]
 rootwrap_config = /etc/cinder/rootwrap.conf
@@ -107,14 +107,31 @@
 lock_path=/var/lock/cinder
 
 [oslo_messaging_rabbit]
+{%- set rabbit_port = volume.message_queue.get('port', 5671 if volume.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if volume.message_queue.members is defined %}
 rabbit_hosts = {% for member in volume.message_queue.members -%}
-                   {{ member.host }}:{{ member.get('port', 5672) }}
+                   {{ member.host }}:{{ member.get('port',rabbit_port) }}
                    {%- if not loop.last -%},{%- endif -%}
                {%- endfor -%}
 {%- else %}
 rabbit_host = {{ volume.message_queue.host }}
-rabbit_port = {{ volume.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if volume.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ volume.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if volume.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ volume.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
 {%- endif %}
 
 rabbit_userid = {{ volume.message_queue.user }}
diff --git a/cinder/files/newton/cinder.conf.controller.Debian b/cinder/files/newton/cinder.conf.controller.Debian
index c8f137c..9d2e42b 100644
--- a/cinder/files/newton/cinder.conf.controller.Debian
+++ b/cinder/files/newton/cinder.conf.controller.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller with context %}
+{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
 
 [DEFAULT]
 rootwrap_config = /etc/cinder/rootwrap.conf
@@ -65,7 +65,6 @@
 rpc_response_timeout=3600
 
 #Rabbit
-rpc_backend=rabbit
 control_exchange=cinder
 
 
@@ -96,14 +95,15 @@
 
 osapi_volume_extension = cinder.api.contrib.standard_extensions
 
+{%- set rabbit_port = controller.message_queue.get('port', 5671 if controller.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if controller.message_queue.members is defined %}
 transport_url = rabbit://{% for member in controller.message_queue.members -%}
-                             {{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+                             {{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
                              {%- if not loop.last -%},{%- endif -%}
                          {%- endfor -%}
                              /{{ controller.message_queue.virtual_host }}
 {%- else %}
-transport_url = rabbit://{{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ controller.message_queue.host }}:{{ controller.message_queue.port }}/{{ controller.message_queue.virtual_host }}
+transport_url = rabbit://{{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ controller.message_queue.host }}:{{ rabbit_port }}/{{ controller.message_queue.virtual_host }}
 {%- endif %}
 
 {%- if controller.backup.engine != None %}
@@ -141,7 +141,23 @@
 
 enable_proxy_headers_parsing = True
 
+{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
 [oslo_messaging_rabbit]
+rabbit_use_ssl=true
+
+{%- if controller.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ controller.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if controller.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
 
 [keystone_authtoken]
 signing_dir=/tmp/keystone-signing-cinder
diff --git a/cinder/files/newton/cinder.conf.volume.Debian b/cinder/files/newton/cinder.conf.volume.Debian
index d5ff9cf..04d8cc0 100644
--- a/cinder/files/newton/cinder.conf.volume.Debian
+++ b/cinder/files/newton/cinder.conf.volume.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume with context %}
+{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
 
 [DEFAULT]
 rootwrap_config = /etc/cinder/rootwrap.conf
@@ -62,7 +62,6 @@
 rpc_response_timeout=3600
 
 #Rabbit
-rpc_backend=rabbit
 control_exchange=cinder
 
 
@@ -85,14 +84,15 @@
 nova_catalog_admin_info = compute:nova:adminURL
 nova_catalog_info = compute:nova:{{ volume.identity.get('endpoint_type', 'publicURL') }}
 
+{%- set rabbit_port = volume.message_queue.get('port', 5671 if volume.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if volume.message_queue.members is defined %}
 transport_url = rabbit://{% for member in volume.message_queue.members -%}
-                             {{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+                             {{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
                              {%- if not loop.last -%},{%- endif -%}
                          {%- endfor -%}
                              /{{ volume.message_queue.virtual_host }}
 {%- else %}
-transport_url = rabbit://{{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ volume.message_queue.host }}:{{ volume.message_queue.port }}/{{ volume.message_queue.virtual_host }}
+transport_url = rabbit://{{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ volume.message_queue.host }}:{{ rabbit_port }}/{{ volume.message_queue.virtual_host }}
 {%- endif %}
 
 {%- if volume.backup.engine != None %}
@@ -130,7 +130,22 @@
 
 enable_proxy_headers_parsing = True
 
+{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
 [oslo_messaging_rabbit]
+rabbit_use_ssl=true
+
+{%- if volume.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ volume.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if volume.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ volume.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
 
 [keystone_authtoken]
 signing_dir=/tmp/keystone-signing-cinder
diff --git a/cinder/files/ocata/cinder.conf.controller.Debian b/cinder/files/ocata/cinder.conf.controller.Debian
index c8f137c..9d2e42b 100644
--- a/cinder/files/ocata/cinder.conf.controller.Debian
+++ b/cinder/files/ocata/cinder.conf.controller.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import controller with context %}
+{%- from "cinder/map.jinja" import controller, system_cacerts_file with context %}
 
 [DEFAULT]
 rootwrap_config = /etc/cinder/rootwrap.conf
@@ -65,7 +65,6 @@
 rpc_response_timeout=3600
 
 #Rabbit
-rpc_backend=rabbit
 control_exchange=cinder
 
 
@@ -96,14 +95,15 @@
 
 osapi_volume_extension = cinder.api.contrib.standard_extensions
 
+{%- set rabbit_port = controller.message_queue.get('port', 5671 if controller.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if controller.message_queue.members is defined %}
 transport_url = rabbit://{% for member in controller.message_queue.members -%}
-                             {{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+                             {{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
                              {%- if not loop.last -%},{%- endif -%}
                          {%- endfor -%}
                              /{{ controller.message_queue.virtual_host }}
 {%- else %}
-transport_url = rabbit://{{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ controller.message_queue.host }}:{{ controller.message_queue.port }}/{{ controller.message_queue.virtual_host }}
+transport_url = rabbit://{{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ controller.message_queue.host }}:{{ rabbit_port }}/{{ controller.message_queue.virtual_host }}
 {%- endif %}
 
 {%- if controller.backup.engine != None %}
@@ -141,7 +141,23 @@
 
 enable_proxy_headers_parsing = True
 
+{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
 [oslo_messaging_rabbit]
+rabbit_use_ssl=true
+
+{%- if controller.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ controller.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if controller.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
 
 [keystone_authtoken]
 signing_dir=/tmp/keystone-signing-cinder
diff --git a/cinder/files/ocata/cinder.conf.volume.Debian b/cinder/files/ocata/cinder.conf.volume.Debian
index d5ff9cf..04d8cc0 100644
--- a/cinder/files/ocata/cinder.conf.volume.Debian
+++ b/cinder/files/ocata/cinder.conf.volume.Debian
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume with context %}
+{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
 
 [DEFAULT]
 rootwrap_config = /etc/cinder/rootwrap.conf
@@ -62,7 +62,6 @@
 rpc_response_timeout=3600
 
 #Rabbit
-rpc_backend=rabbit
 control_exchange=cinder
 
 
@@ -85,14 +84,15 @@
 nova_catalog_admin_info = compute:nova:adminURL
 nova_catalog_info = compute:nova:{{ volume.identity.get('endpoint_type', 'publicURL') }}
 
+{%- set rabbit_port = volume.message_queue.get('port', 5671 if volume.message_queue.get('ssl',{}).get('enabled', False)  else 5672) %}
 {%- if volume.message_queue.members is defined %}
 transport_url = rabbit://{% for member in volume.message_queue.members -%}
-                             {{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+                             {{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
                              {%- if not loop.last -%},{%- endif -%}
                          {%- endfor -%}
                              /{{ volume.message_queue.virtual_host }}
 {%- else %}
-transport_url = rabbit://{{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ volume.message_queue.host }}:{{ volume.message_queue.port }}/{{ volume.message_queue.virtual_host }}
+transport_url = rabbit://{{ volume.message_queue.user }}:{{ volume.message_queue.password }}@{{ volume.message_queue.host }}:{{ rabbit_port }}/{{ volume.message_queue.virtual_host }}
 {%- endif %}
 
 {%- if volume.backup.engine != None %}
@@ -130,7 +130,22 @@
 
 enable_proxy_headers_parsing = True
 
+{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
 [oslo_messaging_rabbit]
+rabbit_use_ssl=true
+
+{%- if volume.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ volume.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if volume.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ volume.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
 
 [keystone_authtoken]
 signing_dir=/tmp/keystone-signing-cinder
diff --git a/cinder/map.jinja b/cinder/map.jinja
index d0ea11a..134ac55 100644
--- a/cinder/map.jinja
+++ b/cinder/map.jinja
@@ -1,3 +1,7 @@
+{%- set system_cacerts_file = salt['grains.filter_by']({
+    'Debian': '/etc/ssl/certs/ca-certificates.crt',
+    'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+})%}
 
 {% set controller = salt['grains.filter_by']({
     'Debian': {
diff --git a/cinder/meta/prometheus.yml b/cinder/meta/prometheus.yml
index 35e5ea8..3902d26 100644
--- a/cinder/meta/prometheus.yml
+++ b/cinder/meta/prometheus.yml
@@ -9,7 +9,7 @@
 {%- raw %}
     CinderAPIDown:
       if: >-
-        max(openstack_api_check_status{service=~"cinder.+"}) by (service) == 0
+        max(openstack_api_check_status{service=~"cinder.*"}) by (service) == 0
       for: 2m
       labels:
         severity: down
@@ -20,7 +20,7 @@
             Endpoint check for '{{ $labels.service }}' is down for 2 minutes
     CinderSomeServicesDown:
       if: >-
-          openstack_cinder_services{state="down",service="cinder-volume|cinder-scheduler"} > 0 and ignoring (state) openstack_cinder_services{state="up",services="cinder-volume|cinder-scheduler"} >= 2
+          openstack_cinder_services{state="down",service=~"cinder-volume|cinder-scheduler"} > 0 and ignoring (state) openstack_cinder_services{state="up",service=~"cinder-volume|cinder-scheduler"} >= 2
       for: 2m
       labels:
         severity: warning
@@ -31,7 +31,7 @@
             {{ $value }} {{ $labels.service }} services are down for 2 minutes
     CinderOnlyOneServiceUp:
       if: >-
-          openstack_cinder_services{state="up",service="cinder-volume|cinder-scheduler"} == 1 and ignoring (state) openstack_cinder_services{state="down",service="cinder-volume|cinder-scheduler"} > 0
+          openstack_cinder_services{state="up",service=~"cinder-volume|cinder-scheduler"} == 1 and ignoring (state) openstack_cinder_services{state="down",service=~"cinder-volume|cinder-scheduler"} > 0
       for: 2m
       labels:
         severity: critical
@@ -42,7 +42,7 @@
             Only one {{ $labels.service }} service is up for 2 minutes
     CinderAllServicesDown:
       if: >-
-        openstack_cinder_services{state="up",service="cinder-volume|cinder-scheduler"} == 0
+        openstack_cinder_services{state="up",service=~"cinder-volume|cinder-scheduler"} == 0
       for: 2m
       labels:
         severity: down
diff --git a/cinder/volume.sls b/cinder/volume.sls
index 29f7ef6..80addca 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -1,4 +1,4 @@
-{%- from "cinder/map.jinja" import volume with context %}
+{%- from "cinder/map.jinja" import volume, system_cacerts_file with context %}
 {%- if volume.enabled %}
 
 {%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
@@ -22,6 +22,20 @@
 
 {%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
 
+{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if volume.message_queue.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ volume.message_queue.ssl.cacert_file }}
+    - contents_pillar: cinder:volume:message_queue:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ volume.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
 /etc/cinder/cinder.conf:
   file.managed:
   - source: salt://cinder/files/{{ volume.version }}/cinder.conf.volume.{{ grains.os_family }}
@@ -50,6 +64,9 @@
   - onlyif: /bin/false
   {%- endif %}
   - watch:
+    {%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
+    - file: rabbitmq_ca
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
@@ -65,11 +82,12 @@
   - onlyif: /bin/false
   {%- endif %}
   - watch:
+    {%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
+    - file: rabbitmq_ca
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
-{# new way #}
-
 {%- if volume.backend is defined %}
 
 {%- for backend_name, backend in volume.get('backend', {}).iteritems() %}
@@ -174,92 +192,4 @@
 
 {%- endif %}
 
-{# old way #}
-
-{%- if volume.storage is defined %}
-
-{%- if volume.storage.engine in ['iscsi', 'hp_lefthand'] %}
-
-cinder_iscsi_packages:
-  pkg.installed:
-  - names:
-    - iscsitarget
-    - open-iscsi
-    - iscsitarget-dkms
-  - require:
-    - pkg: cinder_volume_packages
-
-/etc/default/iscsitarget:
-  file.managed:
-  - source: salt://cinder/files/iscsitarget
-  - template: jinja
-  - require:
-    - pkg: cinder_iscsi_packages
-
-cinder_scsi_service:
-  service.running:
-  - names:
-    - iscsitarget
-    - open-iscsi
-  - enable: true
-  {%- if grains.get('noservices') %}
-  - onlyif: /bin/false
-  {%- endif %}
-  - watch:
-    - file: /etc/default/iscsitarget
-
-{%- endif %}
-
-{%- if volume.storage.engine == 'hitachi_vsp' %}
-
-{%- if grains.os_family == 'Debian' and volume.version == 'juno' %}
-
-hitachi_pkgs:
-  pkg.latest:
-    - names:
-      - horcm
-      - hbsd
-
-cinder_hitachi_vps_dir:
-  file.directory:
-  - name: /var/lock/hbsd
-  - user: cinder
-  - group: cinder
-
-{%- endif %}
-
-{%- endif %}
-
-{%- if volume.storage.engine == 'hp3par' %}
-
-hp3parclient:
-  pkg.latest:
-    - name: python-hp3parclient
-
-{%- endif %}
-
-{%- if volume.storage.engine == 'fujitsu' %}
-
-cinder_driver_fujitsu:
-  pkg.latest:
-    - name: cinder-driver-fujitsu
-
-{%- for type in volume.get('types', []) %}
-
-/etc/cinder/cinder_fujitsu_eternus_dx_{{ type.name }}.xml:
-  file.managed:
-  - source: salt://cinder/files/{{ volume.version }}/cinder_fujitsu_eternus_dx.xml
-  - template: jinja
-  - defaults:
-      volume_type_name: "{{ type.pool }}"
-  - require:
-    - pkg: cinder-driver-fujitsu
-
-{%- endfor %}
-
-{%- endif %}
-
-{%- endif %}
-
-
 {%- endif %}
diff --git a/tests/pillar/netapp.sls b/tests/pillar/netapp.sls
index ada170e..f48845b 100644
--- a/tests/pillar/netapp.sls
+++ b/tests/pillar/netapp.sls
@@ -2,6 +2,13 @@
   controller:
     enabled: true
     version: mitaka
+    message_queue:
+      engine: rabbitmq
+      host: 127.0.0.1
+      port: 5672
+      user: openstack
+      password: pwd
+      virtual_host: '/openstack'
     backend:
       netapp:
         engine: netapp
@@ -24,6 +31,13 @@
   volume:
     enabled: true
     version: mitaka
+    message_queue:
+      engine: rabbitmq
+      host: 127.0.0.1
+      port: 5672
+      user: openstack
+      password: pwd
+      virtual_host: '/openstack'
 linux:
   system:
     package:
diff --git a/tests/pillar/nfs.sls b/tests/pillar/nfs.sls
index c79b3c1..f882c79 100644
--- a/tests/pillar/nfs.sls
+++ b/tests/pillar/nfs.sls
@@ -3,6 +3,13 @@
     enabled: true
     version: liberty
     default_volume_type: nfs-driver
+    message_queue:
+      engine: rabbitmq
+      host: 127.0.0.1
+      port: 5672
+      user: openstack
+      password: pwd
+      virtual_host: '/openstack'
     backend:
       nfs-driver:
         engine: nfs
@@ -16,9 +23,16 @@
     enabled: true
     version: liberty
     default_volume_type: nfs-driver
+    message_queue:
+      engine: rabbitmq
+      host: 127.0.0.1
+      port: 5672
+      user: openstack
+      password: pwd
+      virtual_host: '/openstack'
     backend:
       nfs-driver:
         enabled: true
         engine: nfs
         type_name: nfs-driver
-        volume_group: cinder-volume
\ No newline at end of file
+        volume_group: cinder-volume
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
new file mode 100644
index 0000000..c929373
--- /dev/null
+++ b/tests/pillar/ssl.sls
@@ -0,0 +1,13 @@
+include:
+  - .ceph_single
+cinder:
+  controller:
+    message_queue:
+      port: 5671
+      ssl:
+        enabled: True
+  volume:
+    message_queue:
+      port: 5671
+      ssl:
+        enabled: True