[openstack-dev] [tripleo] Fernet Key rotation

Adam Young ayoung at redhat.com
Wed Aug 10 14:14:16 UTC 2016


On 08/09/2016 05:11 PM, Adam Young wrote:
> The Fernet token format uses a symmetric key to sign tokens.  In order 
> to check the signature, these keys need to be synchronized across all 
> of the Keystone servers.
>
>
> I don't want to pass around nake symmetric keys.  The right way to do 
> this is to put them into a PKCS 11 Envelope.  Roughly, this:
>
>
> 1.  Each server generates a keypair and sends the public key to the 
> undercloud
>
> 2.  undercloud generates a Fernet key
>
> 3.  Undercloud puts the Fernet token into a PKCS11 document signed 
> with the overcloud nodes public key
>
> 4.  Undercloud posts the PKCS11 data to metadata
Sorry, PKCS12.  Not 11.

>
> 5.  os-*config Node downloads and stores the proper PKCS11 data
>
> 6.  Something unpackst the pkcs11 data and puts the key into the 
> Fernet key store
>
> That last step needs to make use of the keystone-manage fernet_rotate 
> command.
>
>
> How do we go about making this happen?  The key rotations should be 
> scheduled infrequently; let me throw out monthly as a starting point 
> for the discussion, although that is probably way too frequent.  How 
> do we schedule this?  Is this a new stack that depends on the Keystone 
> role?
>
>
> __________________________________________________________________________ 
>
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





More information about the OpenStack-dev mailing list