iT邦幫忙

2017 iT 邦幫忙鐵人賽
DAY 19
0

主題

OpenStack Barbican

前言

它會提供儲存的方式來管理較於隱私的KEY,像是對稱金鑰、不對稱金鑰... ...等等的

主要內容

主要組件

barbican-api : 統計與管理API應用

建立資料庫

1.登入資料庫

sudo mysql -u root -p

2.建立資料庫

CREATE DATABASE barbican;

3.安全性設定

GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' IDENTIFIED BY 'BARBICAN資料庫密碼';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' IDENTIFIED BY 'BARBICAN資料庫密碼';

建立使用者

1.登入admin管理員指令模式
2.建立使用者

openstack user create --domain default --password-prompt barbican

3.家使用者加入service群組

openstack role add --project service --user barbican admin

4.建立規則

openstack role create creator

5.建立使用者

openstack role add --project service --user barbican creator

6.建立服務

openstack service create --name barbican --description "Key Manager" key-manager

7.建立API

openstack endpoint create --region RegionOne key-manager \
public http://controller:9311/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne key-manager \
internal http://controller:9311/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne key-manager \
admin http://controller:9311/v1/%\(tenant_id\)s

安裝與編輯套件

1.安裝套件

sudo apt-get install barbican-api -y

2.編輯套件barbican.conf

sudo vim /etc/barbican/barbican.conf
[DEFAULT]
#訊息服務
rpc_backend = rabbit
[database]
connection = mysql+pymysql://barbican:BARBICAN資料庫密碼@controller/barbican

#訊息服務
[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = AMQP密碼

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN密碼

3.編輯套件barbican-api-paste.ini

sudo vim /etc/barbican/barbican-api-paste.ini
[pipeline:barbican_api]
pipeline = cors authtoken context apiapp

4.同步設定檔到資料庫

sudo su -s /bin/sh -c "barbican-manage db_sync" barbican

5.重啟服務

sudo service openstack-barbican-api restart

插件安裝

加密插件

sudo vim /etc/barbican/barbican.conf
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

PKCS#11

sudo vim /etc/barbican/barbican.conf
# ================= Secret Store Plugin ===================
[secretstore]
..
enabled_secretstore_plugins = store_crypto

[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'mypassword'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1
# Enable Read/Write session with the HSM?
# rw_session = True
# Length of Project KEKs to create
# pkek_length = 32
# How long to cache unwrapped Project KEKs
# pkek_cache_ttl = 900
# Max number of items in pkek cache
# pkek_cache_limit = 100

KMIP

sudo vim /etc/barbican/barbican.conf
[secretstore]
enabled_secretstore_plugins = kmip_crypto

[kmip_plugin]
username = 'admin'
password = 'password'
host = localhost
port = 5696
keyfile = '/path/to/certs/cert.key'
certfile = '/path/to/certs/cert.crt'
ca_certs = '/path/to/certs/LocalCA.crt'

Dogtag

sudo vim /etc/barbican/barbican.conf
[secretstore]
enabled_secretstore_plugins = dogtag_crypto

[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_password = 'password123'

驗證服務

1.登入admin管理員指令模式

openstack secret store --name mysecret --payload j4=]d21

2.使用Openstack CLI取金鑰

openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa

3.檢查金鑰

openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa

4.解密金鑰

openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa --payload

後記

對於新型態的加密方式要是多元、快速、安全部屬,最難的點是要保護安全的訊息,這是一個可以考慮的方式。
希望大家可以在這一個月中讀到非常多的應用技巧,那如果有問題可以以私訊我的方式是使用問題回復,我會盡可能地回答問題,那會在後面統一做回覆,或者如果有想知道的相關的應用也可以提出討論喔。

參考資料

OpenStack Doc


上一篇
OpenStack Magnum
下一篇
OpenStack Administrator Guide - Identity
系列文
OpenStack-多到數不清的套件改36

尚未有邦友留言

立即登入留言