After over a month, I got this to work - here's the basics. If you are having trouble and need more details, ping me...
SSL -> generated a key and got an officially signed cert, not self-signed. Put them in /etc/keystone/ssl/certs & .../private for future reference
keystone:
1 -> changed keystone.conf file [signing] and [ssl] sections with those paths and other details about the key I generated. However, I am still uncertain that this is used other than to generate self-signed key/cert (which I did not use). I am not certain that these values are read from the conf file and used for keystone operation/authentication.
2 -> changed the keystone endpoints in the keystone database to https, ports 5000 & 35357.
3 -> installed apache wsgi module and configured wsgi_keystone.conf in apache to turn on SSLEngine, SSLCertificateKeyFile, SSLCertificateFile & SSLCertificateChainFile with files obtained from the cert authority. I did this for both keystone ports.
swift:
1 -> changed proxy-server.conf to change swift bind_port to 8081, put the key/cert in key_file & cert_file strings, but later took them out to revert swift back to non-ssl (on port 8081). I also changed the auth_uri & auth_url strings to https://myserver-fqdn:5000 & ...:35357 directing swift to talk to keystone with ssl (through apache wsgi...)
2 -> I changed the swift endpoints in the keystone database to https://myserver.fqdn:8080/... to direct swift traffic through a secure apache url/uri.
3 -> all apache modules were already installed (mod_ssl & mod_proxy), I added a file to configure Apache to listen for swift on a secure port and SSL-terminate; /etc/httpd/conf.d/proxy-swift.conf with Proxy stuff (ProxyPass, ProxyPassReverse, ProxyRequests & ProxyPreserveHost) and SSL stuff (same as for wsgi_keystone)
I added SSL to swift because it seemed like CommVault was trying to talk to swift using ssl/https, so I ended up having to make swift API non-ssl and using Apache to run interference for me/commvault. I had other errors when swift API was configured for SSL. Now that it is all figured out, it makes perfect sense. Scary!
My most pressing question is should I build 1 new container with 3 volumes (1/zone) that is the backend for 1 new commvault MagneticLibrary that is assigned to 1 new commvault storage policy???
Or build 3 new containers with one volume each from each of my 3 zones that are the backend for 3 new commvault MagLibs that are assigned to 1 new commvault storage policy using a round-robin fashion.
My desired end result is to have the commvault backup data replicated in multiple sites for disaster recovery purposes.