blob: f933560b40d94e2144e8a00406e616b7988eea13 [file] [log] [blame]
Petr Jedinýdd6387a2017-08-01 15:50:17 +02001
Petr Jediný1ff6f562017-08-09 14:38:09 +02002================
3Barbican formula
4================
Petr Jedinýdd6387a2017-08-01 15:50:17 +02005
6Barbican is a REST API designed for the secure storage, provisioning and
7management of secrets such as passwords, encryption keys and X.509 Certificates.
8It is aimed at being useful for all environments, including large ephemeral
9Clouds.
10
11Sample pillars
12==============
13
Petr Jediný1ff6f562017-08-09 14:38:09 +020014Barbican cluster service
Petr Jedinýdd6387a2017-08-01 15:50:17 +020015
16.. code-block:: yaml
17
18 barbican:
19 server:
20 enabled: true
21 version: ocata
Petr Jediný1ff6f562017-08-09 14:38:09 +020022 host_href: ''
23 is_proxied: true
24 plugin:
25 simple_crypto:
26 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
27 store:
28 software:
29 crypto_plugin: simple_crypto
30 store_plugin: store_crypto
31 global_default: True
32 database:
33 engine: "mysql+pymysql"
34 host: 10.0.106.20
35 port: 3306
36 name: barbican
37 user: barbican
38 password: password
39 bind:
40 address: 10.0.106.20
41 port: 9311
42 admin_port: 9312
43 identity:
44 engine: keystone
45 host: 10.0.106.20
46 port: 35357
47 domain: default
48 tenant: service
49 user: barbican
50 password: password
51 message_queue:
52 engine: rabbitmq
53 user: openstack
54 password: password
55 virtual_host: '/openstack'
56 members:
57 - host: 10.10.10.10
58 port: 5672
59 - host: 10.10.10.11
60 port: 5672
61 - host: 10.10.10.12
62 port: 5672
63 cache:
64 members:
65 - host: 10.10.10.10
66 port: 11211
67 - host: 10.10.10.11
68 port: 11211
69 - host: 10.10.10.12
70 port: 11211
71
72Running behind loadbalancer
73
74If you are running behind loadbalancer, set the `host_href` to load balancer's
75address. You can set `host_href` empty and the api attempts autodetect correct
76address from http requests.
77
78.. code-block:: yaml
79
80 barbican:
81 server:
82 enabled: true
83 version: ocata
84 host_href: ''
85
86
87Running behind proxy
88
89If you are running behind proxy, set the `is_proxied` parameter to `true`. This
90will allow `host_href` autodetection with help of proxy headers such as
91`X-FORWARDED-FOR` and `X-FORWARDED-PROTO`.
92
93.. code-block:: yaml
94
95 barbican:
96 server:
97 enabled: true
98 version: ocata
99 host_href: ''
100 is_proxied: true
101
102Queuing asynchronous messaging
103
104By default is `async_queues_enable` set `false` to invoke worker tasks
105synchronously (i.e. no-queue standalone mode). To enable queuing asynchronous
106messaging you need to set it true.
107
108.. code-block:: yaml
109
110 barbican:
111 server:
112 enabled: true
113 version: ocata
114 async_queues_enable: true
115
116Keystone notification listener
117
118To enable keystone notification listener, set the `ks_notification_enable`
119to true.
120`ks_notifications_allow_requeue` enables requeue feature in case of
121notification processing error. Enable this only when underlying transport
122supports this feature.
123
124
125.. code-block:: yaml
126
127 barbican:
128 server:
129 enabled: true
130 version: ocata
131 ks_notifications_enable: true
132 ks_notifications_allow_requeue: true
133
134
Petr Jediný6e745fb2017-09-05 10:20:05 +0200135MySQL server has gone away
136
137MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
138idle connections. This can result in 'MySQL Gone Away' exceptions. If you
139notice this, you can lower `sql_idle_timeout` to ensure that SQLAlchemy
Petr Jediný09886ec2017-09-06 22:20:38 +0200140reconnects before MySQL can drop the connection. If you run MySQL with HAProxy
141you need to consider haproxy client/server timeout parameters.
Petr Jediný6e745fb2017-09-05 10:20:05 +0200142
143.. code-block:: yaml
144
145 barbican:
146 server:
147 enabled: true
148 version: ocata
149 database:
150 engine: "mysql+pymysql"
151 host: 10.0.106.20
152 port: 3306
153 name: barbican
154 user: barbican
155 password: password
Petr Jediný09886ec2017-09-06 22:20:38 +0200156 sql_idle_timeout: 180
Petr Jediný6e745fb2017-09-05 10:20:05 +0200157
158
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300159Configuring TLS communications
160------------------------------
161
Kirill Bespalov8d133302017-11-01 12:14:28 +0300162In order to trust remote server's certificate during establishing tls
163connection the CA cert must be provided at client side. By default
164system wide installed CA certs are used. You can change this behavior
165by specifying cacert_file and cacert params (optional).
166See examples below:
167
168
169- **RabbitMQ**
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300170
171.. code-block:: yaml
172
173 barbican:
174 server:
175 message_queue:
176 port: 5671
177 ssl:
178 enabled: True
179 cacert: cert body if the cacert_file does not exists
180 cacert_file: /etc/openstack/rabbitmq-ca.pem
181
182
Kirill Bespalov8d133302017-11-01 12:14:28 +0300183- **MySQL**
184
185.. code-block:: yaml
186
187 barbican:
188 server:
189 database:
190 ssl:
191 enabled: True
192 cacert: cert body if the cacert_file does not exists
193 cacert_file: /etc/openstack/mysql-ca.pem
194
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300195
Petr Jediný1ff6f562017-08-09 14:38:09 +0200196Configuring plugins
197-------------------
198
199Dogtag KRA
200
201.. code block:: yaml
202
203 barbican:
204 server:
205 plugin:
206 dogtag:
207 pem_path: '/etc/barbican/kra_admin_cert.pem'
208 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200209 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200210 nss_db_path: '/etc/barbican/alias'
211 nss_db_path_ca: '/etc/barbican/alias-ca'
212 nss_password: 'password123'
213 simple_cmc_profile: 'caOtherCert'
214 ca_expiration_time: 1
215 plugin_working_dir: '/etc/barbican/dogtag'
216
Oleg Iurchenko622ef902017-12-13 01:40:04 +0200217There are few sources (engines) to define KRA admin cert:
218Engine #1: Define KRA admin cert by pillar.
219To define KRA admin cert by pillar need to define the following:
220.. code block:: yaml
221 barbican:
222 server:
223 dogtag_admin_cert:
224 engine: manual
225 key: |
226 ... key data ...
227Engine #2: Receive DogTag cert from Salt Mine.
228DogTag formula sends KRA cert to dogtag_admin_cert mine function.
229.. code block:: yaml
230 barbican:
231 server:
232 dogtag_admin_cert:
233 engine: mine
234 minion: ...name of minion which has installed DogTag..
235Engine #3: No operations.
236In case of some additional steps to install KRA certificate which
237are out of scope for the formula, the formula has 'noop' engine
238to perform no operations. If 'noop' engine is defined the formula will
239do nothing to install KRA admin cert.
240.. code block:: yaml
241 barbican:
242 server:
243 dogtag_admin_cert:
244 engine: noop
245
Petr Jediný1ff6f562017-08-09 14:38:09 +0200246KMIP HSM
247
248.. code block:: yaml
249
250 barbican:
251 server:
252 plugin:
253 kmip:
254 username: 'admin'
255 password: 'password'
256 host: localhost
257 port: 5696
258 keyfile: '/path/to/certs/cert.key'
259 certfile: '/path/to/certs/cert.crt'
260 ca_certs: '/path/to/certs/LocalCA.crt'
261
262
263PKCS11 HSM
264
265.. code block:: yaml
266
267 barbican:
268 server:
269 plugin:
270 p11_crypto:
271 library_path: '/usr/lib/libCryptoki2_64.so'
272 login: 'mypassword'
273 mkek_label: 'an_mkek'
274 mkek_length: 32
275 hmac_label: 'my_hmac_label'
276
277
278
279Software Only Crypto
280
281`kek` is key encryption key created from 32 bytes encoded as Base64. You should
282not use this in production.
283
284.. code block:: yaml
285
286 barbican:
287 server:
288 plugin:
289 simple_crypto:
290 kek: 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
291
292
293Secret stores
294-------------
295
296.. code-block:: yaml
297
298 barbican:
299 server:
300 plugin:
301 simple_crypto:
302 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
303 p11_crypto:
304 library_path: '/usr/lib/libCryptoki2_64.so'
305 login: 'mypassword'
306 mkek_label: 'an_mkek'
307 mkek_length: 32
308 hmac_label: 'my_hmac_label'
309 kmip:
310 username: 'admin'
311 password: 'password'
312 host: localhost
313 port: 5696
314 keyfile: '/path/to/certs/cert.key'
315 certfile: '/path/to/certs/cert.crt'
316 ca_certs: '/path/to/certs/LocalCA.crt'
317 dogtag:
318 pem_path: '/etc/barbican/kra_admin_cert.pem'
319 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200320 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200321 nss_db_path: '/etc/barbican/alias'
322 nss_db_path_ca: '/etc/barbican/alias-ca'
323 nss_password: 'password123'
324 simple_cmc_profile: 'caOtherCert'
325 ca_expiration_time: 1
326 plugin_working_dir: '/etc/barbican/dogtag'
327 store:
328 software:
329 crypto_plugin: simple_crypto
330 store_plugin: store_crypto
331 global_default: True
332 kmip:
333 store_plugin: kmip_plugin
334 dogtag:
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200335 store_plugin: dogtag_crypto
Petr Jediný1ff6f562017-08-09 14:38:09 +0200336 pkcs11:
337 store_plugin: store_crypto
338 crypto_plugin: p11_crypto
339
Mykyta Karpinae0e66b2018-04-23 18:51:31 +0300340Creating resources in barbican
341------------------------------
342
343To create a secret with payload from file in barbican, next pillar can be used:
344
345.. code-block:: yaml
346
347 barbican:
348 client:
349 enabled: True
350 resources:
351 v1:
352 enabled: true
353 cloud_name: admin_identity:
354 secrets:
355 TestSecret:
356 type: certificate
357 algorithm: RSA
358 payload_content_type: application/octet-stream
359 payload_content_encoding: base64
360 payload_path: /tmp/test.crt
361 encodeb64_payload: true
362
363
Petr Jedinýdd6387a2017-08-01 15:50:17 +0200364
365Documentation and Bugs
366======================
367
368To learn how to install and update salt-formulas, consult the documentation
369available online at:
370
371 http://salt-formulas.readthedocs.io/
372
373In the unfortunate event that bugs are discovered, they should be reported to
374the appropriate issue tracker. Use GitHub issue tracker for specific salt
375formula:
376
377 https://github.com/salt-formulas/salt-formula-barbican/issues
378
379For feature requests, bug reports or blueprints affecting entire ecosystem,
380use Launchpad salt-formulas project:
381
382 https://launchpad.net/salt-formulas
383
384Developers wishing to work on the salt-formulas projects should always base
385their work on master branch and submit pull request against specific formula.
386
387You should also subscribe to mailing list (salt-formulas@freelists.org):
388
389 https://www.freelists.org/list/salt-formulas
390
391Any questions or feedback is always welcome so feel free to join our IRC
392channel:
393
394 #salt-formulas @ irc.freenode.net
395
396Read more
397=========
398
399* https://docs.openstack.org/barbican/latest/