Dogtag is one of the Barbican plugins that represents a backend for storing symmetric keys, for example, for volume encryption, as well as passwords, and X.509 certificates.
To deploy the Dogtag backend for Barbican:
Open the classes/cluster/<cluster_name>/
directory of your Git project
repository.
In openstack/control.yml
, add the Dogtag class and specify
the required parameters. For example:
classes:
- system.dogtag.server.cluster
...
parameters:
_param:
dogtag_master_host: ${_param:openstack_control_node01_hostname}.${_param:cluster_domain}
haproxy_dogtag_bind_port: 8444
cluster_dogtag_port: 8443
# Dogtag listens on 8443 but there is no way to bind it to a
# Specific IP, as in this setup Dogtag is installed on ctl nodes
# Change port on haproxy side to avoid binding conflict.
haproxy_dogtag_bind_port: 8444
cluster_dogtag_port: 8443
dogtag_master_host: ctl01.${linux:system:domain}
dogtag_pki_admin_password: workshop
dogtag_pki_client_database_password: workshop
dogtag_pki_client_pkcs12_password: workshop
dogtag_pki_ds_password: workshop
dogtag_pki_token_password: workshop
dogtag_pki_security_domain_password: workshop
dogtag_pki_clone_pkcs12_password: workshop
dogtag:
server:
ldap_hostname: ${linux:network:fqdn}
ldap_dn_password: workshop
ldap_admin_password: workshop
export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
In classes/cluster/<cluster_name>/infra/config/init.yml
, add the
- system.salt.master.formula.pkg.dogtag
class to the classes
section.
For example:
classes:
- system.salt.master.formula.pkg.dogtag
...
In classes/cluster/<cluster_name>/infra/config/nodes.yml
, specify the
dogtag_cluster_role: master
parameter in the
openstack_control_node01
section, and the dogtag_cluster_role: slave
parameter in the openstack_control_node02
and
openstack_control_node03
sections.
For example:
node:
openstack_control_node01:
classes:
- service.galera.master.cluster
- service.dogtag.server.cluster.master
params:
mysql_cluster_role: master
linux_system_codename: xenial
dogtag_cluster_role: master
openstack_control_node02:
classes:
- service.galera.slave.cluster
- service.dogtag.server.cluster.slave
params:
mysql_cluster_role: slave
linux_system_codename: xenial
dogtag_cluster_role: slave
openstack_control_node03:
classes:
- service.galera.slave.cluster
- service.dogtag.server.cluster.slave
params:
mysql_cluster_role: slave
linux_system_codename: xenial
dogtag_cluster_role: slave
Commit and push the changes to the project Git repository.
Log in to the Salt Master node.
Update your Salt formulas at the system level:
/srv/salt/reclass
.Apply the following states:
salt -C 'I@salt:master' state.sls salt,reclass
salt -C 'I@dogtag:server and *01*' state.sls dogtag.server
salt -C 'I@dogtag:server' state.sls dogtag.server
salt -C 'I@haproxy:proxy' state.sls haproxy
Proceed to Deploy Barbican with the Dogtag backend.
Note
If the dogtag:export_pem_file_path
variable is defined,
the system imports kra admin certificate
to the defined
.pem
file and to the Salt Mine dogtag_admin_cert
variable.
After that, Barbican and other components can use
kra admin certificate
.
See also