[openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert implementation for LBaaS and VPN
Nathan Kinder
nkinder at redhat.com
Thu May 8 14:34:36 UTC 2014
On 05/08/2014 03:19 AM, Samuel Bercovici wrote:
> Hi,
>
>
>
> Please note as commented also by other XaaS services that managing SSL
> certificates is not a sole LBaaS challenge.
>
> This calls for either an OpenStack wide service or at least a Neutron
> wide service to implement such use cases.
>
>
>
> So it here are the options as far as I have seen so far.
>
> 1. Barbican as a central service to store and retrieve SSL
> certificates. I think the Certificates generation is currently a lower
> priority requirement
>
> 2. Using Heat as a centralized service
>
> 3. Implementing such service in Neutron
>
> 4. LBaaS private implementation
>
>
>
> BTW, on all the options above, Barbican can optionally be used to store
> the certificates or the private part of the certificates.
It's really just private keys you need to be concerned about, not
certificates themselves (which are really just a signed public key plus
other public data like the subject, issuer, and validity).
>
>
>
> I think that we either follow option 3 if SSL management is only a
> Neutron requirement (LBaaS, VPNaaS, FWaaS) and maybe as a transition
> project to an OpenStack wide solution (1 or 2).
I'd be concerned about implementing a separate service when this clearly
falls into Barbican's target use-cases. We should be moving towards
centralizing security related functionality like this instead of having
multiple implementations of similar functionality.
>
> Option 1 or 2 might be the ultimate goal.
I think 1 should be the ultimate goal. Barbican is designed for
securely storing keys, which is exactly what you are trying to do.
Thanks,
-NGK
>
>
>
> Regards,
>
> -Sam.
>
>
>
>
>
>
>
>
>
>
>
> *From:*Clark, Robert Graham [mailto:robert.clark at hp.com]
> *Sent:* Thursday, May 08, 2014 12:43 PM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert
> implementation for LBaaS and VPN
>
>
>
> The certificate management that LBaaS requires might be slightly
> different to the normal flow of things in OpenStack services, after all
> you are talking about externally provided certificates and private keys.
>
>
>
> There’s already a standard for a nice way to bundle those two elements
> together, it’s described in PKCS#12 and you’ve likely come across it in
> the form of ‘.pfx’ files. I’d suggest that perhaps it would make sense
> for LBaaS to store pfx files in the LBaaS DB and store the key for the
> pfx files in Barbican. You could probably store them together in
> Barbican, using containers if you really wanted to
> (https://blueprints.launchpad.net/barbican/+spec/crud-endpoints-secret-container)
>
>
>
>
> -Rob
>
>
>
> *From:*Carlos Garza [mailto:carlos.garza at rackspace.com]
> *Sent:* 08 May 2014 04:30
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert
> implementation for LBaaS and VPN
>
>
>
>
>
> On May 7, 2014, at 10:53 AM, Samuel Bercovici <SamuelB at Radware.com
> <mailto:SamuelB at Radware.com>> wrote:
>
>
>
> Hi John,
>
>
>
> If the user already has an SSL certificate that was acquired outside
> of the barbican Ordering system, how can he store it securely in
> Barbican as a SSL Certificate?
>
> The Container stored this information in a very generic way, I think
> that there should be an API that formalizes a specific way in which
> SSL certificates can be stored and read back as SSL Certificates and
> not as loosely coupled container structure.
>
> This such API should have RBAC that allows getting back only the
> public part of an SSL certificate vs. allowing to get back all the
> details of the SSL certificate.
>
>
>
> Why the need for that complexity? The X509s are public by nature and
> don't need to be stored in Barbican so there isn't really a private part
> of the certificate. The actual private key itself is what needs to be
> secured so I would advocate that the private key is what will be stored
> in barbican. I also think we should also declare that the private key
> need not be an RSA key as x509 supports other asymmetric encryption
> types so storing as a generic blob in barbican is probably a good idea.
>
>
>
>
>
>
>
>
>
>
>
> -Sam.
>
>
>
>
>
>
>
> *From:* John Wood [mailto:john.wood at RACKSPACE.COM
> <http://RACKSPACE.COM>]
> *Sent:* Thursday, May 01, 2014 11:28 PM
> *To:* OpenStack Development Mailing List (not for usage questions);
> os.vbvs at gmail.com <mailto:os.vbvs at gmail.com>
> *Subject:* Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL
> cert implementation for LBaaS and VPN
>
>
>
> Hello Samuel,
>
>
>
> Just noting that the link below shows current-state Barbican. We are
> in the process of designing SSL certificate support for Barbican via
> blueprints such as this
> one: https://wiki.openstack.org/wiki/Barbican/Blueprints/ssl-certificates
>
> We intend to discuss this feature in Atlanta to enable coding in
> earnest for Juno.
>
>
>
> The Container resource is intended to capture/store the final
> certificate details.
>
>
>
> Thanks,
>
> John
>
>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* Samuel Bercovici [SamuelB at Radware.com
> <mailto:SamuelB at Radware.com>]
> *Sent:* Thursday, May 01, 2014 12:50 PM
> *To:* OpenStack Development Mailing List (not for usage
> questions); os.vbvs at gmail.com <mailto:os.vbvs at gmail.com>
> *Subject:* Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL
> cert implementation for LBaaS and VPN
>
> Hi Vijay,
>
>
>
> I have looked at the Barbican APIs
> –https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface
>
> I was no able to see a “native” API that will accept an SSL
> certificate (private key, public key, CSR, etc.) and will store it.
>
> We can either store the whole certificate as a single file as a
> secret or use a container and store all the certificate parts as
> secrets.
>
>
>
> I think that having LBaaS reference Certificates as IDs using some
> service is the right way to go so this might be achived by either:
>
> 1. Adding to Barbican and API to store / generate certificates
>
> 2. Create a new “module” that might start by being hosted in
> neutron or keystone that will allow to manage certificates and will
> use Barbican behind the scenes to store them.
>
> 3. Decide on a container structure to use in Babican but
> implement the way to access and arrange it as a neutron library
>
>
>
> Was any decision made on how to proceed?
>
>
>
> Regards,
>
> -Sam.
>
>
>
>
>
>
>
>
>
> *From:* Vijay B [mailto:os.vbvs at gmail.com]
> *Sent:* Wednesday, April 30, 2014 3:24 AM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* [openstack-dev] [Neutron] [LBaaS][VPN] SSL cert
> implementation for LBaaS and VPN
>
>
>
> Hi,
>
>
>
> It looks like there are areas of common effort in multiple efforts
> that are proceeding in parallel to implement SSL for LBaaS as well
> as VPN SSL in neutron.
>
>
>
> Two relevant efforts are listed below:
>
>
>
>
>
> https://review.openstack.org/#/c/74031/
> (https://wiki.openstack.org/wiki/Neutron/LBaaS/SSL)
>
>
>
> https://review.openstack.org/#/c/58897/
> (https://blueprints.launchpad.net/openstack/?searchtext=neutron-ssl-vpn)
>
>
>
>
>
>
>
> Both VPN and LBaaS will use SSL certificates and keys, and this
> makes it better to implement SSL entities as first class citizens in
> the OS world. So, three points need to be discussed here:
>
>
>
> 1. The VPN SSL implementation above is putting the SSL cert content
> in a mapping table, instead of maintaining certs separately and
> referencing them using IDs. The LBaaS implementation stores
> certificates in a separate table, but implements the necessary
> extensions and logic under LBaaS. We propose that both these
> implementations move away from this and refer to SSL entities using
> IDs, and that the SSL entities themselves are implemented as their
> own resources, serviced either by a core plugin or a new SSL plugin
> (assuming neutron; please also see point 3 below).
>
>
>
> 2. The actual data store where the certs and keys are stored should
> be configurable at least globally, such that the SSL plugin code
> will singularly refer to that store alone when working with the SSL
> entities. The data store candidates currently are Barbican and a sql
> db. Each should have a separate backend driver, along with the
> required config values. If further evaluation of Barbican shows that
> it fits all SSL needs, we should make it a priority over a sqldb driver.
>
>
>
> 3. Where should the primary entries for the SSL entities be stored?
> While the actual certs themselves will reside on Barbican or SQLdb,
> the entities themselves are currently being implemented in Neutron
> since they are being used/referenced there. However, we feel that
> implementing them in keystone would be most appropriate. We could
> also follow a federated model where a subset of keys can reside on
> another service such as Neutron. We are fine with starting an
> initial implementation in neutron, in a modular manner, and move it
> later to keystone.
>
>
>
>
>
> Please provide your inputs on this.
>
>
>
>
>
> Thanks,
>
> Regards,
>
> Vijay
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list