[openstack-dev] [tripleo] Fernet Key rotation

Adam Young ayoung at redhat.com
Tue Aug 9 21:11:42 UTC 2016


The Fernet token format uses a symmetric key to sign tokens.  In order 
to check the signature, these keys need to be synchronized across all of 
the Keystone servers.


I don't want to pass around nake symmetric keys.  The right way to do 
this is to put them into a PKCS 11 Envelope.  Roughly, this:


1.  Each server generates a keypair and sends the public key to the 
undercloud

2.  undercloud generates a Fernet key

3.  Undercloud puts the Fernet token into a PKCS11 document signed with 
the overcloud nodes public key

4.  Undercloud posts the PKCS11 data to metadata

5.  os-*config Node downloads and stores the proper PKCS11 data

6.  Something unpackst the pkcs11 data and puts the key into the Fernet 
key store

That last step needs to make use of the keystone-manage fernet_rotate 
command.


How do we go about making this happen?  The key rotations should be 
scheduled infrequently; let me throw out monthly as a starting point for 
the discussion, although that is probably way too frequent.  How do we 
schedule this?  Is this a new stack that depends on the Keystone role?




More information about the OpenStack-dev mailing list