The most recent stable release of Keystone does not support TLS security over HTTPS. This functionality was available in the Diablo release, but was removed in Essex.
TLS should be enabled by default. Credentials should never be sent to an authentication server as plain text. If OpenStack APIs are made publicly available, the Keystone server must also be on a public interface to be accessible to the Nova, Glance, and Swift client tools. This is a major security vulnerability that impacts all production deployments.