Setting up Barbican Behind TLS/SSL

Given that we are passing secrets back and forth between clients and the
Barbican server, it is absolutely imperative that the communications be
encrypted using TLS/SSL.

To be even more assured that the secrets are secure, one could use the
transport key mechanism that had been added to Barbican for use with
the Dogtag plugin. With this mechanism, the secret is encrypted with
a backend transport key that can only be decrypted on the back-end.

This means that secrets are always encrypted – even when there is no
SSL connection, and they are double-encrypted when there is an SSL

We will not focus on transport keys here, but rather on securing the
Barbican endpoint using TLS/SSL using haproxy. Haproxy will serve
https://hostname:9311, and will proxy the requests to the Barbican server
which will be listening on port 9312.

Note that in general, you are going to want to protect all the Openstack endpoints behind haproxy.  In this post, I’m only focusing on barbican.  For instructions on how to set up all the services (including Barbican), I recommend looking at the ansible scripts in rippowam

The steps are as follows:

  • Install haproxy::
sudo yum install haproxy
  • Get SSL certificate for haproxy from IPA using certmonger.  There are many possible ways of doing this.  I’m going to document how to do it using IPA (and registering the Openstack server as a client.  Ultimately, we’re going to end up registering the Openstack services in IPA.
sudo yum install ipa-client
sudo systemctl start certmonger.service 
echo <ipa_admin_password> | kinit admin@<ipa_realm> 
ipa service-add principal=HTTP/`hostname`@<ipa_realm> --force
setenforce 0 
ipa-getcert request -w -f /etc/haproxy/server.crt \
  -k /etc/haproxy/server.key -D "`hostname`" -K HTTP/`hostname`

cat /etc/haproxy/server.crt /etc/haproxy/server.key > /etc/haproxy/cert.pem 
chown haproxy: /etc/haproxy/cert.pem 
chmod 0600 /etc/haproxy/cert.pem
setenforce 1
  • . You could also get the certificates needed by contacting Dogtag directly using the pki CLI, or by using Barbican/Dogtag  to issue a server cert.
    • TODO – show how to use Barbican to get the cert from dogtag
  • Install haproxy config file in /etc/haproxy.cfg.
 # to have these messages end up in /var/log/haproxy.log you will 
 # need to: 
 # 1) configure syslog to accept network log events. This is done 
 # by adding the '-r' option to the SYSLOGD_OPTIONS in 
 # /etc/sysconfig/syslog 
 # 2) configure local2 events to go to the /var/log/haproxy.log 
 # file. A line like the following can be added to 
 # /etc/sysconfig/syslog 
 # local2.* /var/log/haproxy.log 
 log local2
chroot /var/lib/haproxy 
 pidfile /var/run/ 
 maxconn 4000 
 user haproxy 
 group haproxy 
# turn on stats unix socket 
 stats socket /var/lib/haproxy/stats
 # common defaults that all the 'listen' and 'backend' sections will 
 # use if not designated in their block 
 mode http 
 timeout connect 10s 
 timeout client 10s 
 timeout server 10s 
 maxconn 10000 
 balance roundrobin 
 option forwardfor
backend barbican-api 
 server barbican-01 check inter 10s
frontend barbican-api 
 bind ssl crt /etc/haproxy/cert.pem 
 default_backend barbican-api
  • Set up Barbican to bind locally to port 9312.::
crudini --set /etc/barbican/barbican.conf DEFAULT bind_host
crudini --set /etc/barbican/barbican.conf DEFAULT bind_port 9312 
crudini --set /etc/barbican/barbican.conf DEFAULT host_href https://`hostname`:9311
crudini --set /etc/barbican/vassals/barbican-api.ini uwsgi socket :9312 
sed -i 's/bind = '\'''\''/bind = '\'''\''/' /etc/barbican/
systemctl restart openstack-barbican-api.service
systemctl restart haproxy.service

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s