Deploy Dogtag

Deploy DogtagΒΆ

Dogtag is one of the Barbican plugins that represents a back end for storing symmetric keys, for example, for volume encryption, as well as passwords, and X.509 certificates.

To deploy the Dogtag back end for Barbican:

  1. Open the classes/cluster/<cluster_name>/ directory of your Git project repository.

  2. In openstack/control.yml, add the Dogtag class and specify the required parameters. For example:

    classes:
    - system.dogtag.server.cluster
    
    ...
    
    parameters:
      _param:
        dogtag_master_host: ${_param:openstack_control_node01_hostname}.${_param:cluster_domain}
        haproxy_dogtag_bind_port: 8444
        cluster_dogtag_port: 8443
        # Dogtag listens on 8443 but there is no way to bind it to a
        # Specific IP, as in this setup Dogtag is installed on ctl nodes
        # Change port on haproxy side to avoid binding conflict.
        haproxy_dogtag_bind_port: 8444
        cluster_dogtag_port: 8443
        dogtag_master_host: ctl01.${linux:system:domain}
        dogtag_pki_admin_password: workshop
        dogtag_pki_client_database_password: workshop
        dogtag_pki_client_pkcs12_password: workshop
        dogtag_pki_ds_password: workshop
        dogtag_pki_token_password: workshop
        dogtag_pki_security_domain_password: workshop
        dogtag_pki_clone_pkcs12_password: workshop
      dogtag:
        server:
          ldap_hostname: ${linux:network:fqdn}
          ldap_dn_password: workshop
          ldap_admin_password: workshop
          export_pem_file_path: /etc/dogtag/kra_admin_cert.pem
    
  3. In classes/cluster/<cluster_name>/infra/config/init.yml, add the - system.salt.master.formula.pkg.dogtag class to the classes section.

    For example:

    classes:
    - system.salt.master.formula.pkg.dogtag
    ...
    
  4. In classes/cluster/<cluster_name>/infra/config/nodes.yml, specify the dogtag_cluster_role: master parameter in the openstack_control_node01 section, and the dogtag_cluster_role: slave parameter in the openstack_control_node02 and openstack_control_node03 sections.

    For example:

    node:
      openstack_control_node01:
        classes:
        - service.galera.master.cluster
        - service.dogtag.server.cluster.master
        params:
          mysql_cluster_role: master
          linux_system_codename: xenial
          dogtag_cluster_role: master
      openstack_control_node02:
        classes:
        - service.galera.slave.cluster
        - service.dogtag.server.cluster.slave
        params:
          mysql_cluster_role: slave
          linux_system_codename: xenial
          dogtag_cluster_role: slave
      openstack_control_node03:
        classes:
        - service.galera.slave.cluster
        - service.dogtag.server.cluster.slave
        params:
          mysql_cluster_role: slave
          linux_system_codename: xenial
          dogtag_cluster_role: slave
    
  5. Commit and push the changes to the project Git repository.

  6. Log in to the Salt Master node.

  7. Update your Salt formulas at the system level:

    1. Change the directory to /srv/salt/reclass.

    2. Run the git pull origin master command.

    3. Run the salt-call state.sls salt.master command.

  8. Apply the following states:

    salt -C 'I@salt:master' state.sls salt,reclass
    salt -C 'I@dogtag:server and *01*' state.sls dogtag.server
    salt -C 'I@dogtag:server' state.sls dogtag.server
    salt -C 'I@haproxy:proxy' state.sls haproxy
    
  9. Proceed to Deploy Barbican with the Dogtag back end.

Note

If the dogtag:export_pem_file_path variable is defined, the system imports kra admin certificate to the defined .pem file and to the Salt Mine dogtag_admin_cert variable. After that, Barbican and other components can use kra admin certificate.