[Openstack-security] List of steps to perform to prepare or condition long term keys?

Adam Young ayoung at redhat.com
Mon Oct 28 02:48:13 UTC 2013 

On 10/26/2013 06:54 AM, Jeffrey Walton wrote:
> Hi Doctor,
>
> On Fri, Oct 25, 2013 at 11:59 AM, Bryan D. Payne <bdpayne at acm.org> wrote:
>> Are you talking about setting up the operating system (and it's various
>> applications) such that all of the keys are generated uniquely?  If so, this
>> is very deployment specific and difficult to generalize on.  If not, could
>> you provide some more detail on what you are asking?
> I'd be interested in both OS and OpenStack since I've never seen a
> definitive guide on either. There's no telling what I might have
> missed as I go rummaging for the keys.
>
> For example under Havana, I noticed Keystone created a CA key and cert
> for www.example.com; and created a Signing key and cert for
> www.example.com.

Keystone does provide utilities for doing setting up the certs, but no 
Security savvy person would think that it was the correct approach.  I 
almost regret having written that code.

The CA cert should be your organizations CA cert, and your CA should 
have signed the  signing cert for Keystone.  Using the keystone-manage 
pk-setup is for development and for deployments with no other PKI available.

We are looking at replacing that Code with Cert monger.  But in oprder 
to do that, we need more plugins for Certmonger to work with the CAs out 
there.  right now, certmonger works well with Dogtag/RedHat CertServer 
and a sample implementation called Certmaster.  Long term, Certmonger is 
the way to go.


>
> Jeff
>
>> On Fri, Oct 25, 2013 at 12:25 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>>> I was reading through the OpenStack Security Guide dated Oct 25 2013
>>> for Havana (http://docs.openstack.org/sec/). Good job on that, by the
>>> way.
>>>
>>> Does anyone have a list of steps to perform to prepare or condition
>>> long term keys? For example, SSH keys should be regenerated, Samba's
>>> secret should probably be recreated (if present), Ubuntu's Snake Oil
>>> key should probably be deleted (if present), etc.
>>>
>>> I'm interested in both the bare metal OS and VM instances. (VM
>>> instances are somewhat covered under Chapter 43).
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list