Deploy Barbican with the Dogtag back end

Deploy Barbican with the Dogtag back endΒΆ

You can deploy and configure Barbican to work with the private Key Recovery Agent (KRA) Dogtag back end.

Before you proceed with the deployment, make sure that you have a running Dogtag back end. If you do not have a Dogtag back end yet, deploy it as described in Deploy Dogtag.

To deploy Barbican with the Dogtag back end:

  1. Open the classes/cluster/<cluster_name>/ directory of your Git project repository.

  2. In infra/config/init.yml, add the following class:

    classes:
    - system.keystone.client.service.barbican
    
  3. In openstack/control.yml, modify the classes and parameters sections:

    classes:
    - system.apache.server.site.barbican
    - system.galera.server.database.barbican
    - system.barbican.server.cluster
    - service.barbican.server.plugin.dogtag
    ...
    parameters:
      _param:
        apache_barbican_api_address: ${_param:cluster_local_address}
        apache_barbican_api_host: ${_param:single_address}
        apache_barbican_ssl: ${_param:nginx_proxy_ssl}
        barbican_dogtag_nss_password: workshop
        barbican_dogtag_host: ${_param:cluster_vip_address}
      ...
        barbican:
          server:
            enabled: true
            dogtag_admin_cert:
              engine: mine
              minion: ${_param:dogtag_master_host}
            ks_notifications_enable: True
            store:
              software:
                store_plugin: dogtag_crypto
                global_default: True
            plugin:
              dogtag:
                port: ${_param:haproxy_dogtag_bind_port}
        nova:
          controller:
            barbican:
              enabled: ${_param:barbican_integration_enabled}
        cinder:
          controller:
            barbican:
              enabled: ${_param:barbican_integration_enabled}
        glance:
          server:
            barbican:
              enabled: ${_param:barbican_integration_enabled}
    
  4. In openstack/init.yml, modify the parameters section. For example:

    parameters:
      _param:
        ...
        barbican_service_protocol: ${_param:cluster_internal_protocol}
        barbican_service_host: ${_param:openstack_control_address}
        barbican_version: ${_param:openstack_version}
        mysql_barbican_password: workshop
        keystone_barbican_password: workshop
        barbican_dogtag_host: "dogtag.example.com"
        barbican_dogtag_nss_password: workshop
        barbican_integration_enabled: true
    
  5. In openstack/proxy.yml, add the following class:

    classes:
    - system.nginx.server.proxy.openstack.barbican
    
  6. Optional. Enable image verification:

    1. In openstack/compute/init.yml, add the following parameters:

      parameters:
        _param:
          nova:
            compute:
              barbican:
                enabled: ${_param:barbican_integration_enabled}
      
    2. In openstack/control.yml, add the following parameters:

      parameters:
        _param:
          nova:
            controller:
              barbican:
                enabled: ${_param:barbican_integration_enabled}
      

    Note

    This configuration changes the requirement to the Glance image upload procedure. All glance images will have to be updated with signature information. For details, see: OpenStack Nova and OpenStack Glance documentation.

  7. Optional. In openstack/control.yml, enable volume encryption supported by the key manager:

    parameters:
      _param:
        cinder:
          volume:
            barbican:
              enabled: ${_param:barbican_integration_enabled}
    
  8. Optional. In init.yml, add the following parameters if you plan to use a self-signed certificate managed by Salt:

    parameters:
      _param:
        salt:
          minion:
            trusted_ca_minions:
              - cfg01
    
  9. Distribute the Dogtag KRA certificate from the Dogtag node to the Barbican nodes. Select from the following options (engines):

    • Define the KRA admin certificate manually in pillar by editing the infra/openstack/control.yml file:

      barbican:
        server:
          dogtag_admin_cert:
            engine: manual
            key: |
            <key_data>
      
    • Receive the Dogtag certificate from Salt Mine. The Dogtag formula sends the KRA certificate to the dogtag_admin_cert Mine function. Add the following to infra/openstack/control.yml:

      barbican:
        server:
          dogtag_admin_cert:
            engine: mine
            minion: <dogtag_minion_node_name>
      
    • If some additional steps were applied to install the KRA certificate and these steps are out of scope of the Barbican formula, the formula has the noop engine to perform no operations. If the noop engine is defined in infra/openstack/control.yml, the Barbican formula does nothing to install the KRA admin certificate.

      barbican:
        server:
          dogtag_admin_cert:
            engine: noop
      

      In this case, manually populate the Dogtag KRA certificate in /etc/barbican/kra_admin_cert.pem on the Barbican nodes.

  10. Commit and push the changes to the project Git repository.

  11. Log in to the Salt Master node.

  12. Update your Salt formulas at the system level:

    1. Change the directory to /srv/salt/reclass.

    2. Run the git pull origin master command.

    3. Run the salt-call state.sls salt.master command.

  13. If you enabled the usage of a self-signed certificate managed by Salt, apply the following state:

    salt -C 'I@salt:minion' state.apply salt.minion
    
  14. Apply the following states:

    salt -C 'I@keystone:client' state.sls keystone.client
    salt -C 'I@galera:master' state.sls galera.server
    salt -C 'I@galera:slave' state.apply galera
    salt -C 'I@nginx:server' state.sls nginx
    salt -C 'I@barbican:server and *01*' state.sls barbican.server
    salt -C 'I@barbican:server' state.sls barbican.server
    salt -C 'I@barbican:client' state.sls barbican.client
    
  15. If you enabled image verification by Nova, apply the following states:

    salt -C 'I@nova:controller' state.sls nova -b 1
    salt -C 'I@nova:compute' state.sls nova
    
  16. If you enabled volume encryption supported by the key manager, apply the following state:

    salt -C 'I@cinder:controller' state.sls cinder -b 1
    
  17. If you have async workers enabled, restart the Barbican worker service:

    salt -C 'I@barbican:server' service.restart barbican-worker
    
  18. Restart the Barbican API server:

    salt -C 'I@barbican:server' service.restart apache2
    
  19. Verify that Barbican works correctly. For example:

    openstack secret store --name mysecret --payload j4=]d21