OpenStack Barbican
它會提供儲存的方式來管理較於隱私的KEY,像是對稱金鑰、不對稱金鑰... ...等等的
barbican-api : 統計與管理API應用
1.登入資料庫
sudo mysql -u root -p
2.建立資料庫
CREATE DATABASE barbican;
3.安全性設定
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' IDENTIFIED BY 'BARBICAN資料庫密碼';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' IDENTIFIED BY 'BARBICAN資料庫密碼';
1.登入admin管理員指令模式
2.建立使用者
openstack user create --domain default --password-prompt barbican
3.家使用者加入service群組
openstack role add --project service --user barbican admin
4.建立規則
openstack role create creator
5.建立使用者
openstack role add --project service --user barbican creator
6.建立服務
openstack service create --name barbican --description "Key Manager" key-manager
7.建立API
openstack endpoint create --region RegionOne key-manager \
public http://controller:9311/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne key-manager \
internal http://controller:9311/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne key-manager \
admin http://controller:9311/v1/%\(tenant_id\)s
1.安裝套件
sudo apt-get install barbican-api -y
2.編輯套件barbican.conf
sudo vim /etc/barbican/barbican.conf
[DEFAULT]
#訊息服務
rpc_backend = rabbit
[database]
connection = mysql+pymysql://barbican:BARBICAN資料庫密碼@controller/barbican
#訊息服務
[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = AMQP密碼
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN密碼
3.編輯套件barbican-api-paste.ini
sudo vim /etc/barbican/barbican-api-paste.ini
[pipeline:barbican_api]
pipeline = cors authtoken context apiapp
4.同步設定檔到資料庫
sudo su -s /bin/sh -c "barbican-manage db_sync" barbican
5.重啟服務
sudo service openstack-barbican-api restart
sudo vim /etc/barbican/barbican.conf
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
sudo vim /etc/barbican/barbican.conf
# ================= Secret Store Plugin ===================
[secretstore]
..
enabled_secretstore_plugins = store_crypto
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'mypassword'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1
# Enable Read/Write session with the HSM?
# rw_session = True
# Length of Project KEKs to create
# pkek_length = 32
# How long to cache unwrapped Project KEKs
# pkek_cache_ttl = 900
# Max number of items in pkek cache
# pkek_cache_limit = 100
sudo vim /etc/barbican/barbican.conf
[secretstore]
enabled_secretstore_plugins = kmip_crypto
[kmip_plugin]
username = 'admin'
password = 'password'
host = localhost
port = 5696
keyfile = '/path/to/certs/cert.key'
certfile = '/path/to/certs/cert.crt'
ca_certs = '/path/to/certs/LocalCA.crt'
sudo vim /etc/barbican/barbican.conf
[secretstore]
enabled_secretstore_plugins = dogtag_crypto
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_password = 'password123'
1.登入admin管理員指令模式
openstack secret store --name mysecret --payload j4=]d21
2.使用Openstack CLI取金鑰
openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa
3.檢查金鑰
openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa
4.解密金鑰
openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa --payload
對於新型態的加密方式要是多元、快速、安全部屬,最難的點是要保護安全的訊息,這是一個可以考慮的方式。
希望大家可以在這一個月中讀到非常多的應用技巧,那如果有問題可以以私訊我的方式是使用問題回復,我會盡可能地回答問題,那會在後面統一做回覆,或者如果有想知道的相關的應用也可以提出討論喔。
iThome鐵人賽
看影片追技術