[openstack-dev] [Barbican] Use of Dogtag for Production Backend

Jarret Raim jarret.raim at RACKSPACE.COM
Fri May 3 12:14:45 UTC 2013


All,

Barbican provides an encryption abstraction that allows for the
implementation of multiple backends to handle the encryption / decryption
and storage of the key encryption keys. After some consultation with
Redhat, we are planning to ship two implementations for Havana.

The first is a very simple, in-memory construct which has low memory
requirements, no dependencies and is very insecure. This would be for
development and allow other products to run Barbican without large set-up
times. Very similar to the SQLite modes that many other projects support.

The second would utilize the Dogtag system
(http://pki.fedoraproject.org/wiki/PKI_Main_Page). Maintained by RedHat,
Dogtag is a Java web-app that offers many advantages including being
Common Criteria and FIPS certified, existing integrations with Hardware
Security Modules (HSMs) and a secure crypto storage platform all with a
ReSTish API. The current plan is that production implementations of
Barbican would use Dogtag as their backend, optionally paired with an HSM
for extra security. No one would interface directly with Dogtag, it would
be the tool that Barbican uses to store the keys.

Our current plan is that Paul Kehrer (one of the RAX devs on the Barbican
team) will be spending some time with Dogtag. Once we know a bit more,
we'll write up a blueprint for its implementation. However, I wanted to
see if anyone had any experience using the Dogtag or FreeIPA systems and
could provide and experience or guidance in its use? RedHat has been very
helpful in getting us started, just wanted to take everyone's temperature
on this path.

Thoughts?


Jarret Raim




More information about the OpenStack-dev mailing list