[openstack-dev] [Security] Introducing Killick PKI

Adam Young ayoung at redhat.com
Mon Oct 12 01:24:29 UTC 2015

On 10/11/2015 06:50 PM, Robert Collins wrote:
> On 9 October 2015 at 06:47, Adam Young <ayoung at redhat.com> wrote:
>> On 10/08/2015 12:50 PM, Chivers, Doug wrote:
>>> Hi All,
>>> At a previous OpenStack Security Project IRC meeting, we briefly discussed
>>> a lightweight traditional PKI using the Anchor validation functionality, for
>>> use in internal deployments, as an alternative to things like MS ADCS. To
>>> take this further, I have drafted a spec, which is in the security-specs
>>> repo, and would appreciate feedback:
>>> https://review.openstack.org/#/c/231955/
>>> Regards
>>> Doug
>> How is this better than Dogtag/FreeIPA?
> DogTag is Tomcat yeah? Thats no exactly trivial to deploy - the spec
> specifically calls out the desire to have a low-admin-overhead
> solution. Perhaps DogTag/FreeIPA are that in the context of a RHEL
> environment? I see that the dogtag-pki packages in Debian are up to
> date - perhaps more discussion w/ops is needed?

Tomcat is trivial to deploy; it is in all the major distributions 
already. Dogtag is slightly more complex because it does things right 
WRT security hardening the Tomcat instance.  But the process is 
automated as part of the Dogtag code base.

A better bet is using Dogtag as installed with FreeIPA. It is supported 
in both Debian based and RPM based distributions.  The dev team is 
primarily Red Hat, with an Ubuntu packager dealing with the headaches of 
getting it installed there.  There is someone working on SuSE already as 
well.  FreeIPA gets us Dogtag, as well as Kerberos for Symmetric Key.

We have a demo of Using Kerberos to authenticate and encrypt the 
messaging backend (AMQP 1.0 Driver with Proton) and also for auth on all 
of the Web services.  I'll be one of the people demoing it at the Red 
Hat booth at Tokyo if you want to see it and ask questions directly.

For Self Signed certificates, we can use certmonger and the self-signed 
backend; we should be using Certmonger as the cert management client no 
matter what.  There was a Certmonger- Barbican plugin underway, but I do 
not know the status of it.

Let's not reinvent this; the security and cryptography focused people on 
OpenStack are already spread thin. Lets focus on reusing pre-existing 

> -Rob

More information about the OpenStack-dev mailing list