Excerpts from Vijay Venkatachalam's message of 2013-11-19 05:48:43 -0800: > Hi Sam, Eugene, & Avishay, etal, > > Today I spent some time to create a write-up for SSL > Termination not exactly design doc. Please share your comments! > > https://docs.google.com/document/d/1tFOrIa10lKr0xQyLVGsVfXr29NQBq2nYTvMkMJ_inbo/edit > > Would like comments/discussion especially on the following note: > > SSL Termination requires certificate management. The ideal way is to handle > this via an independent IAM service. This would take time to implement so the > thought was to add the certificate details in VIP resource and send them > directly to device. Basically don't store the certificate key in the DB there > by avoiding security concerns of maintaining certificates in controller. > > I would expect the certificates to become an independent resource in future > thereby causing backward compatibility issues. >
Perhaps Barbican can be leveraged for this, it seems that it was specifically designed for the use case. Quoting from their README: Design Goals 1. Provide a central secret-store capable of distributing secret / keying material to all types of deployments including ephemeral Cloud instances. 2. Support reasonable compliance regimes through reporting and auditability. 3. Application adoption costs should be minimal or non-existent. 4. Build a community and ecosystem by being open-source and extensible. 5. Improve security through sane defaults and centralized management of policies for all secrets. 6. Out of band communication mechanism to notify and protect sensitive assets. https://github.com/stackforge/barbican _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
