[openstack-dev] [Neutron][LBaaS]TLS API support for authentication

Samuel Bercovici SamuelB at Radware.com
Wed May 28 10:35:44 UTC 2014


This very good news.
Please point to the code review in gerrit.

-Sam.


-----Original Message-----
From: Eichberger, German [mailto:german.eichberger at hp.com] 
Sent: Saturday, May 24, 2014 12:54 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron][LBaaS]TLS API support for authentication

All,

Susanne and I had a demonstration of life code by HP's Barbican team today for certificate storage. The code is submitted for review in the Barbican project.

Barbican will be able to store all the certificate parts (cert, key, pwd) in a secure "container". We will follow up with more details next week -- 

So in short all we need to store in LBaaS is the container-id. The rest will come from Barbican and the user will interact straight with Barbican to upload/manage his certificates, keys, pwd...

This functionality/use case also is considered in the Marketplace / Murano project -- making the need for a central certificate storage in OpenStack a bit more pressing.

German

-----Original Message-----
From: Carlos Garza [mailto:carlos.garza at rackspace.com]
Sent: Friday, May 23, 2014 1:25 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron][LBaaS]TLS API support for authentication

    Right so are you advocating that the front end API never return a private key back to the user once regardless if the key was generated on the back end or sent in to the API from the user? We kind of are already are implying that they can refer to the key via a private key id.


On May 23, 2014, at 9:11 AM, John Dennis <jdennis at redhat.com>
 wrote:

> Using standard formats such as PEM and PKCS12 (most people don't use
> PKCS8 directly) is a good approach.

    We had to deal with PKCS8 manually in our CLB1.0 offering at rackspace. Too many customers complained.

> Be mindful that some cryptographic
> services do not provide *any* direct access to private keys (makes 
> sense, right?). Private keys are shielded in some hardened container 
> and the only way to refer to the private key is via some form of name 
> association.

    Were anticipating referring the keys via a barbican key id which will be named later.


> Therefore your design should never depend on having access to a 
> private key and

    But we need access enough to transport the key to the back end implementation though.

> should permit having the private key stored in some type of secure key 
> storage.

   A secure repository for the private key is already a requirement that we are attempting to meat with barbican.


> --
> John
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list