blob: 2255dca30e80df7e29e05c77450082305743c994 [file] [log] [blame]
Petr Jedinýdd6387a2017-08-01 15:50:17 +02001
Petr Jediný1ff6f562017-08-09 14:38:09 +02002================
3Barbican formula
4================
Petr Jedinýdd6387a2017-08-01 15:50:17 +02005
6Barbican is a REST API designed for the secure storage, provisioning and
7management of secrets such as passwords, encryption keys and X.509 Certificates.
8It is aimed at being useful for all environments, including large ephemeral
9Clouds.
10
11Sample pillars
12==============
13
Petr Jediný1ff6f562017-08-09 14:38:09 +020014Barbican cluster service
Petr Jedinýdd6387a2017-08-01 15:50:17 +020015
16.. code-block:: yaml
17
18 barbican:
19 server:
20 enabled: true
21 version: ocata
Petr Jediný1ff6f562017-08-09 14:38:09 +020022 host_href: ''
23 is_proxied: true
24 plugin:
25 simple_crypto:
26 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
27 store:
28 software:
29 crypto_plugin: simple_crypto
30 store_plugin: store_crypto
31 global_default: True
32 database:
33 engine: "mysql+pymysql"
34 host: 10.0.106.20
35 port: 3306
36 name: barbican
37 user: barbican
38 password: password
39 bind:
40 address: 10.0.106.20
41 port: 9311
42 admin_port: 9312
43 identity:
44 engine: keystone
45 host: 10.0.106.20
46 port: 35357
47 domain: default
48 tenant: service
49 user: barbican
50 password: password
51 message_queue:
52 engine: rabbitmq
53 user: openstack
54 password: password
55 virtual_host: '/openstack'
56 members:
57 - host: 10.10.10.10
58 port: 5672
59 - host: 10.10.10.11
60 port: 5672
61 - host: 10.10.10.12
62 port: 5672
63 cache:
64 members:
65 - host: 10.10.10.10
66 port: 11211
67 - host: 10.10.10.11
68 port: 11211
69 - host: 10.10.10.12
70 port: 11211
71
72Running behind loadbalancer
73
74If you are running behind loadbalancer, set the `host_href` to load balancer's
75address. You can set `host_href` empty and the api attempts autodetect correct
76address from http requests.
77
78.. code-block:: yaml
79
80 barbican:
81 server:
82 enabled: true
83 version: ocata
84 host_href: ''
85
86
87Running behind proxy
88
89If you are running behind proxy, set the `is_proxied` parameter to `true`. This
90will allow `host_href` autodetection with help of proxy headers such as
91`X-FORWARDED-FOR` and `X-FORWARDED-PROTO`.
92
93.. code-block:: yaml
94
95 barbican:
96 server:
97 enabled: true
98 version: ocata
99 host_href: ''
100 is_proxied: true
101
102Queuing asynchronous messaging
103
104By default is `async_queues_enable` set `false` to invoke worker tasks
105synchronously (i.e. no-queue standalone mode). To enable queuing asynchronous
106messaging you need to set it true.
107
108.. code-block:: yaml
109
110 barbican:
111 server:
112 enabled: true
113 version: ocata
114 async_queues_enable: true
115
116Keystone notification listener
117
118To enable keystone notification listener, set the `ks_notification_enable`
119to true.
120`ks_notifications_allow_requeue` enables requeue feature in case of
121notification processing error. Enable this only when underlying transport
122supports this feature.
123
124
125.. code-block:: yaml
126
127 barbican:
128 server:
129 enabled: true
130 version: ocata
131 ks_notifications_enable: true
132 ks_notifications_allow_requeue: true
133
134
Petr Jediný6e745fb2017-09-05 10:20:05 +0200135MySQL server has gone away
136
137MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
138idle connections. This can result in 'MySQL Gone Away' exceptions. If you
139notice this, you can lower `sql_idle_timeout` to ensure that SQLAlchemy
Petr Jediný09886ec2017-09-06 22:20:38 +0200140reconnects before MySQL can drop the connection. If you run MySQL with HAProxy
141you need to consider haproxy client/server timeout parameters.
Petr Jediný6e745fb2017-09-05 10:20:05 +0200142
143.. code-block:: yaml
144
145 barbican:
146 server:
147 enabled: true
148 version: ocata
149 database:
150 engine: "mysql+pymysql"
151 host: 10.0.106.20
152 port: 3306
153 name: barbican
154 user: barbican
155 password: password
Petr Jediný09886ec2017-09-06 22:20:38 +0200156 sql_idle_timeout: 180
Petr Jediný6e745fb2017-09-05 10:20:05 +0200157
158
Petr Jediný1ff6f562017-08-09 14:38:09 +0200159Configuring plugins
160-------------------
161
162Dogtag KRA
163
164.. code block:: yaml
165
166 barbican:
167 server:
168 plugin:
169 dogtag:
170 pem_path: '/etc/barbican/kra_admin_cert.pem'
171 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200172 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200173 nss_db_path: '/etc/barbican/alias'
174 nss_db_path_ca: '/etc/barbican/alias-ca'
175 nss_password: 'password123'
176 simple_cmc_profile: 'caOtherCert'
177 ca_expiration_time: 1
178 plugin_working_dir: '/etc/barbican/dogtag'
179
180KMIP HSM
181
182.. code block:: yaml
183
184 barbican:
185 server:
186 plugin:
187 kmip:
188 username: 'admin'
189 password: 'password'
190 host: localhost
191 port: 5696
192 keyfile: '/path/to/certs/cert.key'
193 certfile: '/path/to/certs/cert.crt'
194 ca_certs: '/path/to/certs/LocalCA.crt'
195
196
197PKCS11 HSM
198
199.. code block:: yaml
200
201 barbican:
202 server:
203 plugin:
204 p11_crypto:
205 library_path: '/usr/lib/libCryptoki2_64.so'
206 login: 'mypassword'
207 mkek_label: 'an_mkek'
208 mkek_length: 32
209 hmac_label: 'my_hmac_label'
210
211
212
213Software Only Crypto
214
215`kek` is key encryption key created from 32 bytes encoded as Base64. You should
216not use this in production.
217
218.. code block:: yaml
219
220 barbican:
221 server:
222 plugin:
223 simple_crypto:
224 kek: 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
225
226
227Secret stores
228-------------
229
230.. code-block:: yaml
231
232 barbican:
233 server:
234 plugin:
235 simple_crypto:
236 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
237 p11_crypto:
238 library_path: '/usr/lib/libCryptoki2_64.so'
239 login: 'mypassword'
240 mkek_label: 'an_mkek'
241 mkek_length: 32
242 hmac_label: 'my_hmac_label'
243 kmip:
244 username: 'admin'
245 password: 'password'
246 host: localhost
247 port: 5696
248 keyfile: '/path/to/certs/cert.key'
249 certfile: '/path/to/certs/cert.crt'
250 ca_certs: '/path/to/certs/LocalCA.crt'
251 dogtag:
252 pem_path: '/etc/barbican/kra_admin_cert.pem'
253 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200254 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200255 nss_db_path: '/etc/barbican/alias'
256 nss_db_path_ca: '/etc/barbican/alias-ca'
257 nss_password: 'password123'
258 simple_cmc_profile: 'caOtherCert'
259 ca_expiration_time: 1
260 plugin_working_dir: '/etc/barbican/dogtag'
261 store:
262 software:
263 crypto_plugin: simple_crypto
264 store_plugin: store_crypto
265 global_default: True
266 kmip:
267 store_plugin: kmip_plugin
268 dogtag:
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200269 store_plugin: dogtag_crypto
Petr Jediný1ff6f562017-08-09 14:38:09 +0200270 pkcs11:
271 store_plugin: store_crypto
272 crypto_plugin: p11_crypto
273
Petr Jedinýdd6387a2017-08-01 15:50:17 +0200274
275Documentation and Bugs
276======================
277
278To learn how to install and update salt-formulas, consult the documentation
279available online at:
280
281 http://salt-formulas.readthedocs.io/
282
283In the unfortunate event that bugs are discovered, they should be reported to
284the appropriate issue tracker. Use GitHub issue tracker for specific salt
285formula:
286
287 https://github.com/salt-formulas/salt-formula-barbican/issues
288
289For feature requests, bug reports or blueprints affecting entire ecosystem,
290use Launchpad salt-formulas project:
291
292 https://launchpad.net/salt-formulas
293
294Developers wishing to work on the salt-formulas projects should always base
295their work on master branch and submit pull request against specific formula.
296
297You should also subscribe to mailing list (salt-formulas@freelists.org):
298
299 https://www.freelists.org/list/salt-formulas
300
301Any questions or feedback is always welcome so feel free to join our IRC
302channel:
303
304 #salt-formulas @ irc.freenode.net
305
306Read more
307=========
308
309* https://docs.openstack.org/barbican/latest/