diff --git a/doc/source/install-guide/configure-rabbitmq.rst b/doc/source/install-guide/configure-rabbitmq.rst
index 087dd5ce25..633b0a39ef 100644
--- a/doc/source/install-guide/configure-rabbitmq.rst
+++ b/doc/source/install-guide/configure-rabbitmq.rst
@@ -10,17 +10,34 @@ a SSL/TLS encrypted listener on port 5671.
 Customizing the RabbitMQ deployment is done within
 ``/etc/openstack_deploy/user_variables.yml``.
 
-Securing RabbitMQ communication with SSL certificates
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Add a TLS encrypted listener to RabbitMQ
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The openstack-ansible project provides the ability to secure RabbitMQ
-communications with self-signed or user-provided SSL certificates.
-
-Refer to `Securing services with SSL certificates`_ for available configuration
+communications with self-signed or user-provided SSL certificates.  Refer to
+`Securing services with SSL certificates`_ for available configuration
 options.
 
 .. _Securing services with SSL certificates: configure-sslcertificates.html
 
+Enable encrypted connections to RabbitMQ
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+SSL communication between various OpenStack services and RabbitMQ is
+controlled via the Ansible variable ``rabbit_use_ssl``:
+
+.. code-block:: yaml
+
+    rabbit_use_ssl: true
+
+Setting this variable to ``true`` will adjust the RabbitMQ port to 5671 (the
+default SSL/TLS listener port) and enable SSL connectivity between each
+OpenStack service and RabbitMQ.
+
+Setting this variable to ``false`` will disable SSL encryption between
+OpenStack services and RabbitMQ. The plaintext port for RabbitMQ, 5672, will
+be used for all services.
+
 --------------
 
 .. include:: navigation.txt
diff --git a/etc/openstack_deploy/user_variables.yml b/etc/openstack_deploy/user_variables.yml
index 810140916b..8d32ca7e42 100644
--- a/etc/openstack_deploy/user_variables.yml
+++ b/etc/openstack_deploy/user_variables.yml
@@ -132,6 +132,12 @@ ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AE
 #rabbitmq_user_ssl_cert: <path to cert on ansible deployment host>
 #rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
 #rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
+#
+# By default, openstack-ansible configures all OpenStack services to talk to
+# RabbitMQ over encrypted connections on port 5671. To opt-out of this default,
+# set the rabbitmq_use_ssl variable to 'false'. The default setting of 'true'
+# is highly recommended for securing the contents of RabbitMQ messages.
+#rabbitmq_use_ssl: true
 
 ## Additional pinning generator that will allow for more packages to be pinned as you see fit.
 ## All pins allow for package and versions to be defined. Be careful using this as versions
diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml
index 4798ff3edb..0a055f829f 100644
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@@ -49,9 +49,9 @@ lxc_container_caches:
 
 ## RabbitMQ
 rabbitmq_cluster_name: openstack
-rabbitmq_port: 5672
+rabbitmq_port: "{{ (rabbitmq_use_ssl | bool) | ternary(5671, 5672) }}"
 rabbitmq_servers: "{% for host in groups['rabbitmq_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}"
-
+rabbitmq_use_ssl: true
 
 ## Galera
 galera_wsrep_cluster_address: "{% for host in groups['galera_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}{% if not loop.last %},{% endif %}{% endfor %}"
diff --git a/playbooks/roles/os_aodh/templates/aodh.conf.j2 b/playbooks/roles/os_aodh/templates/aodh.conf.j2
index 4bca3adbef..923b9ce878 100644
--- a/playbooks/roles/os_aodh/templates/aodh.conf.j2
+++ b/playbooks/roles/os_aodh/templates/aodh.conf.j2
@@ -13,6 +13,7 @@ rabbit_userid = {{ aodh_rabbitmq_userid }}
 rabbit_password = {{ aodh_rabbitmq_password }}
 rabbit_virtual_host = {{ aodh_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 
 [api]
 port = {{ aodh_service_port }}
diff --git a/playbooks/roles/os_ceilometer/templates/ceilometer.conf.j2 b/playbooks/roles/os_ceilometer/templates/ceilometer.conf.j2
index e7517fc8a2..82f56e63c0 100644
--- a/playbooks/roles/os_ceilometer/templates/ceilometer.conf.j2
+++ b/playbooks/roles/os_ceilometer/templates/ceilometer.conf.j2
@@ -16,6 +16,7 @@ rabbit_userid = {{ ceilometer_rabbitmq_userid }}
 rabbit_password = {{ ceilometer_rabbitmq_password }}
 rabbit_virtual_host = {{ ceilometer_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 
 [api]
 port = 8777
diff --git a/playbooks/roles/os_cinder/templates/cinder.conf.j2 b/playbooks/roles/os_cinder/templates/cinder.conf.j2
index 9e86bf4e43..74696a1ce0 100644
--- a/playbooks/roles/os_cinder/templates/cinder.conf.j2
+++ b/playbooks/roles/os_cinder/templates/cinder.conf.j2
@@ -119,6 +119,7 @@ rabbit_userid = {{ cinder_rabbitmq_userid }}
 rabbit_password = {{ cinder_rabbitmq_password }}
 rabbit_virtual_host = {{ cinder_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 
 [oslo_concurrency]
 lock_path = /var/lock/cinder
diff --git a/playbooks/roles/os_glance/templates/glance-api.conf.j2 b/playbooks/roles/os_glance/templates/glance-api.conf.j2
index 4e15443b7b..d52c17b5a0 100644
--- a/playbooks/roles/os_glance/templates/glance-api.conf.j2
+++ b/playbooks/roles/os_glance/templates/glance-api.conf.j2
@@ -87,6 +87,7 @@ rabbit_port = {{ rabbitmq_port }}
 rabbit_userid = {{ glance_rabbitmq_userid }}
 rabbit_password = {{ glance_rabbitmq_password }}
 rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 rabbit_notification_exchange = glance
 rabbit_notification_topic = notifications
 
diff --git a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 b/playbooks/roles/os_glance/templates/glance-registry.conf.j2
index 4c60a4ad03..571f616fb6 100644
--- a/playbooks/roles/os_glance/templates/glance-registry.conf.j2
+++ b/playbooks/roles/os_glance/templates/glance-registry.conf.j2
@@ -53,6 +53,7 @@ rabbit_port = {{ rabbitmq_port }}
 rabbit_userid = {{ glance_rabbitmq_userid }}
 rabbit_password = {{ glance_rabbitmq_password }}
 rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 rabbit_notification_exchange = glance
 rabbit_notification_topic = notifications
 
diff --git a/playbooks/roles/os_heat/templates/heat.conf.j2 b/playbooks/roles/os_heat/templates/heat.conf.j2
index 647aff826f..ffb1e68043 100644
--- a/playbooks/roles/os_heat/templates/heat.conf.j2
+++ b/playbooks/roles/os_heat/templates/heat.conf.j2
@@ -65,6 +65,7 @@ rabbit_userid = {{ heat_rabbitmq_userid }}
 rabbit_password = {{ heat_rabbitmq_password }}
 rabbit_virtual_host = {{ heat_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 
 
 [profiler]
diff --git a/playbooks/roles/os_keystone/templates/keystone.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.conf.j2
index 7d43ac7933..2550ca1fad 100644
--- a/playbooks/roles/os_keystone/templates/keystone.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2
@@ -139,6 +139,7 @@ rabbit_userid = {{ keystone_rabbitmq_userid }}
 rabbit_password = {{ keystone_rabbitmq_password }}
 rabbit_virtual_host = {{ keystone_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 
 {% if keystone_sp is defined %}
 [federation]
diff --git a/playbooks/roles/os_neutron/templates/neutron.conf.j2 b/playbooks/roles/os_neutron/templates/neutron.conf.j2
index 614d48255f..8dbd01388d 100644
--- a/playbooks/roles/os_neutron/templates/neutron.conf.j2
+++ b/playbooks/roles/os_neutron/templates/neutron.conf.j2
@@ -173,6 +173,7 @@ rabbit_userid = {{ neutron_rabbitmq_userid }}
 rabbit_password = {{ neutron_rabbitmq_password }}
 rabbit_virtual_host = {{ neutron_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 
 # Concurrency (locking mechanisms)
 [oslo_concurrency]
diff --git a/playbooks/roles/os_nova/templates/nova.conf.j2 b/playbooks/roles/os_nova/templates/nova.conf.j2
index 398147be11..8449ee3080 100644
--- a/playbooks/roles/os_nova/templates/nova.conf.j2
+++ b/playbooks/roles/os_nova/templates/nova.conf.j2
@@ -220,6 +220,7 @@ rabbit_userid = {{ nova_rabbitmq_userid }}
 rabbit_password = {{ nova_rabbitmq_password }}
 rabbit_virtual_host = {{ nova_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 
 
 [libvirt]