[openstack-dev] [Barbican] Use of Dogtag for Production Backend

Jarret Raim jarret.raim at RACKSPACE.COM
Fri May 3 14:09:12 UTC 2013


On 5/3/13 8:44 AM, "Clark, Robert Graham" <robert.clark at hp.com> wrote:

>From a personal point of view I've always found Dogtag to be a pain to
>install on any non Redhat system. EJBCA offers some cross over and is
>significantly easier to deploy. That said, I think the overall approach
>makes a lot of sense. I'll be watching with interest.

Thanks for the feedback. I'll add EJBCA to our list to investigate. I've
also gotten some feedback from our ops folks that they aren't particularly
happy about having to run 389, but we'll see if there is any fire under
all the smoke :)

>Seeing as RH has thrown so much effort into OpenStack already, I guess
>Dogtag makes a lot of sense. Looking forward to seeing where this goes.
>Once the blueprint is done I'd be prepared to throw some effort into
>documenting how to deploy a reference implementation on a debian-type
>system.

That's awesome, thanks. We'll have to get everything working on at least
Cent, RHEL, Debian and Ubuntu so if there are install difficulties, that's
something we can work with the RedHat guys about. They've been super
helpful so far.


Jarret



>
>> -----Original Message-----
>> From: Jarret Raim [mailto:jarret.raim at RACKSPACE.COM]
>> Sent: 03 May 2013 13:15
>> To: OpenStack Development Mailing List
>> Subject: [openstack-dev] [Barbican] Use of Dogtag for Production
>Backend
>> 
>> All,
>> 
>> Barbican provides an encryption abstraction that allows for the
>> implementation of multiple backends to handle the encryption /
>decryption
>> and storage of the key encryption keys. After some consultation with
>> Redhat, we are planning to ship two implementations for Havana.
>> 
>> The first is a very simple, in-memory construct which has low memory
>> requirements, no dependencies and is very insecure. This would be for
>> development and allow other products to run Barbican without large
>set-up
>> times. Very similar to the SQLite modes that many other projects
>support.
>> 
>> The second would utilize the Dogtag system
>> (http://pki.fedoraproject.org/wiki/PKI_Main_Page). Maintained by
>RedHat,
>> Dogtag is a Java web-app that offers many advantages including being
>> Common Criteria and FIPS certified, existing integrations with
>Hardware
>> Security Modules (HSMs) and a secure crypto storage platform all with
>a
>> ReSTish API. The current plan is that production implementations of
>> Barbican would use Dogtag as their backend, optionally paired with an
>HSM
>> for extra security. No one would interface directly with Dogtag, it
>would be
>> the tool that Barbican uses to store the keys.
>> 
>> Our current plan is that Paul Kehrer (one of the RAX devs on the
>Barbican
>> team) will be spending some time with Dogtag. Once we know a bit more,
>> we'll write up a blueprint for its implementation. However, I wanted
>to see
>> if anyone had any experience using the Dogtag or FreeIPA systems and
>> could provide and experience or guidance in its use? RedHat has been
>very
>> helpful in getting us started, just wanted to take everyone's
>temperature on
>> this path.
>> 
>> Thoughts?
>> 
>> 
>> Jarret Raim
>> 
>> 
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list