[openstack-dev] [Barbican] Use of Dogtag for Production Backend

Clark, Robert Graham robert.clark at hp.com
Fri May 3 13:44:56 UTC 2013


>From a personal point of view I've always found Dogtag to be a pain to
install on any non Redhat system. EJBCA offers some cross over and is
significantly easier to deploy. That said, I think the overall approach
makes a lot of sense. I'll be watching with interest. 

Seeing as RH has thrown so much effort into OpenStack already, I guess
Dogtag makes a lot of sense. Looking forward to seeing where this goes.
Once the blueprint is done I'd be prepared to throw some effort into
documenting how to deploy a reference implementation on a debian-type
system.

> -----Original Message-----
> From: Jarret Raim [mailto:jarret.raim at RACKSPACE.COM]
> Sent: 03 May 2013 13:15
> To: OpenStack Development Mailing List
> Subject: [openstack-dev] [Barbican] Use of Dogtag for Production
Backend
> 
> All,
> 
> Barbican provides an encryption abstraction that allows for the
> implementation of multiple backends to handle the encryption /
decryption
> and storage of the key encryption keys. After some consultation with
> Redhat, we are planning to ship two implementations for Havana.
> 
> The first is a very simple, in-memory construct which has low memory
> requirements, no dependencies and is very insecure. This would be for
> development and allow other products to run Barbican without large
set-up
> times. Very similar to the SQLite modes that many other projects
support.
> 
> The second would utilize the Dogtag system
> (http://pki.fedoraproject.org/wiki/PKI_Main_Page). Maintained by
RedHat,
> Dogtag is a Java web-app that offers many advantages including being
> Common Criteria and FIPS certified, existing integrations with
Hardware
> Security Modules (HSMs) and a secure crypto storage platform all with
a
> ReSTish API. The current plan is that production implementations of
> Barbican would use Dogtag as their backend, optionally paired with an
HSM
> for extra security. No one would interface directly with Dogtag, it
would be
> the tool that Barbican uses to store the keys.
> 
> Our current plan is that Paul Kehrer (one of the RAX devs on the
Barbican
> team) will be spending some time with Dogtag. Once we know a bit more,
> we'll write up a blueprint for its implementation. However, I wanted
to see
> if anyone had any experience using the Dogtag or FreeIPA systems and
> could provide and experience or guidance in its use? RedHat has been
very
> helpful in getting us started, just wanted to take everyone's
temperature on
> this path.
> 
> Thoughts?
> 
> 
> Jarret Raim
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130503/f3904fbb/attachment.bin>


More information about the OpenStack-dev mailing list