Basic barbican configuration
Usual suspects:
- database
- keystone
- messaging
Services:
- apache web site for api's
- worker
- keystone-listener
Barbican:
- Crypto plugins configuration fragments
- Support multiple stores
Add some information to README
Change-Id: Ie58a0daf318c99ea0e41c3c9dd5fcc450f356276
diff --git a/README.rst b/README.rst
index af029bc..4d28f57 100644
--- a/README.rst
+++ b/README.rst
@@ -1,7 +1,7 @@
-==================================
-barbican formula
-==================================
+================
+Barbican formula
+================
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets such as passwords, encryption keys and X.509 Certificates.
@@ -11,7 +11,7 @@
Sample pillars
==============
-Single barbican service
+Barbican cluster service
.. code-block:: yaml
@@ -19,6 +19,234 @@
server:
enabled: true
version: ocata
+ host_href: ''
+ is_proxied: true
+ plugin:
+ simple_crypto:
+ kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
+ store:
+ software:
+ crypto_plugin: simple_crypto
+ store_plugin: store_crypto
+ global_default: True
+ database:
+ engine: "mysql+pymysql"
+ host: 10.0.106.20
+ port: 3306
+ name: barbican
+ user: barbican
+ password: password
+ bind:
+ address: 10.0.106.20
+ port: 9311
+ admin_port: 9312
+ identity:
+ engine: keystone
+ host: 10.0.106.20
+ port: 35357
+ domain: default
+ tenant: service
+ user: barbican
+ password: password
+ message_queue:
+ engine: rabbitmq
+ user: openstack
+ password: password
+ virtual_host: '/openstack'
+ members:
+ - host: 10.10.10.10
+ port: 5672
+ - host: 10.10.10.11
+ port: 5672
+ - host: 10.10.10.12
+ port: 5672
+ cache:
+ members:
+ - host: 10.10.10.10
+ port: 11211
+ - host: 10.10.10.11
+ port: 11211
+ - host: 10.10.10.12
+ port: 11211
+
+Running behind loadbalancer
+
+If you are running behind loadbalancer, set the `host_href` to load balancer's
+address. You can set `host_href` empty and the api attempts autodetect correct
+address from http requests.
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ host_href: ''
+
+
+Running behind proxy
+
+If you are running behind proxy, set the `is_proxied` parameter to `true`. This
+will allow `host_href` autodetection with help of proxy headers such as
+`X-FORWARDED-FOR` and `X-FORWARDED-PROTO`.
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ host_href: ''
+ is_proxied: true
+
+Queuing asynchronous messaging
+
+By default is `async_queues_enable` set `false` to invoke worker tasks
+synchronously (i.e. no-queue standalone mode). To enable queuing asynchronous
+messaging you need to set it true.
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ async_queues_enable: true
+
+Keystone notification listener
+
+To enable keystone notification listener, set the `ks_notification_enable`
+to true.
+`ks_notifications_allow_requeue` enables requeue feature in case of
+notification processing error. Enable this only when underlying transport
+supports this feature.
+
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ ks_notifications_enable: true
+ ks_notifications_allow_requeue: true
+
+
+Configuring plugins
+-------------------
+
+Dogtag KRA
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ dogtag:
+ pem_path: '/etc/barbican/kra_admin_cert.pem'
+ dogtag_host: localhost
+ dogtag_port: 8433
+ nss_db_path: '/etc/barbican/alias'
+ nss_db_path_ca: '/etc/barbican/alias-ca'
+ nss_password: 'password123'
+ simple_cmc_profile: 'caOtherCert'
+ ca_expiration_time: 1
+ plugin_working_dir: '/etc/barbican/dogtag'
+
+KMIP HSM
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ kmip:
+ username: 'admin'
+ password: 'password'
+ host: localhost
+ port: 5696
+ keyfile: '/path/to/certs/cert.key'
+ certfile: '/path/to/certs/cert.crt'
+ ca_certs: '/path/to/certs/LocalCA.crt'
+
+
+PKCS11 HSM
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ p11_crypto:
+ library_path: '/usr/lib/libCryptoki2_64.so'
+ login: 'mypassword'
+ mkek_label: 'an_mkek'
+ mkek_length: 32
+ hmac_label: 'my_hmac_label'
+
+
+
+Software Only Crypto
+
+`kek` is key encryption key created from 32 bytes encoded as Base64. You should
+not use this in production.
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ simple_crypto:
+ kek: 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
+
+
+Secret stores
+-------------
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ simple_crypto:
+ kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
+ p11_crypto:
+ library_path: '/usr/lib/libCryptoki2_64.so'
+ login: 'mypassword'
+ mkek_label: 'an_mkek'
+ mkek_length: 32
+ hmac_label: 'my_hmac_label'
+ kmip:
+ username: 'admin'
+ password: 'password'
+ host: localhost
+ port: 5696
+ keyfile: '/path/to/certs/cert.key'
+ certfile: '/path/to/certs/cert.crt'
+ ca_certs: '/path/to/certs/LocalCA.crt'
+ dogtag:
+ pem_path: '/etc/barbican/kra_admin_cert.pem'
+ dogtag_host: localhost
+ dogtag_port: 8433
+ nss_db_path: '/etc/barbican/alias'
+ nss_db_path_ca: '/etc/barbican/alias-ca'
+ nss_password: 'password123'
+ simple_cmc_profile: 'caOtherCert'
+ ca_expiration_time: 1
+ plugin_working_dir: '/etc/barbican/dogtag'
+ store:
+ software:
+ crypto_plugin: simple_crypto
+ store_plugin: store_crypto
+ global_default: True
+ kmip:
+ store_plugin: kmip_plugin
+ dogtag:
+ store_plugin: dogtag_plugin
+ pkcs11:
+ store_plugin: store_crypto
+ crypto_plugin: p11_crypto
+
Documentation and Bugs
======================