Hi Robert Thank you for your suggestion. so your suggestion is let OpenVPN process download key to memory directly from Babican?
2014-05-01 9:42 GMT-07:00 Clark, Robert Graham <robert.cl...@hp.com>: > Excuse me interrupting but couldn't you treat the key as largely > ephemeral, pull it down from Barbican, start the OpenVPN process and > then purge the key? It would of course still be resident in the memory > of the OpenVPN process but should otherwise be protected against > filesystem disk-residency issues. > > >> -----Original Message----- >> From: Nachi Ueno [mailto:na...@ntti3.com] >> Sent: 01 May 2014 17:36 >> To: OpenStack Development Mailing List (not for usage questions) >> Subject: Re: [openstack-dev] [Neutron] SSL VPN Implemenatation >> >> Hi Jarret >> >> IMO, Zang point is the issue saving plain private key in the > filesystem for >> OpenVPN. >> Isn't this same even if we use Barbican? >> >> >> >> >> >> 2014-05-01 2:56 GMT-07:00 Jarret Raim <jarret.r...@rackspace.com>: >> > Zang mentioned that part of the issue is that the private key has to >> > be stored in the OpenVPN config file. If the config files are >> > generated and can be stored, then storing the whole config file in >> > Barbican protects the private key (and any other settings) without >> > having to try to deliver the key to the OpenVPN endpoint in some > non- >> standard way. >> > >> > >> > Jarret >> > >> > On 4/30/14, 6:08 PM, "Nachi Ueno" <na...@ntti3.com> wrote: >> > >> >>> Jarret >> >> >> >>Thanks! >> >>Currently, the config will be generated on demand by the agent. >> >>What's merit storing entire config in the Barbican? >> >> >> >>> Kyle >> >>Thanks! >> >> >> >>2014-04-30 7:05 GMT-07:00 Kyle Mestery >> <mest...@noironetworks.com>: >> >>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <na...@ntti3.com> >> wrote: >> >>>> Hi Clint >> >>>> >> >>>> Thank you for your suggestion. Your point get taken :) >> >>>> >> >>>>> Kyle >> >>>> This is also a same discussion for LBaaS Can we discuss this in >> >>>> advanced service meeting? >> >>>> >> >>> Yes! I think we should definitely discuss this in the advanced >> >>> services meeting today. I've added it to the agenda [1]. >> >>> >> >>> Thanks, >> >>> Kyle >> >>> >> >>> [1] >> >>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_f >> or_ >> >>>next >> >>>_meeting >> >>> >> >>>>> Zang >> >>>> Could you join the discussion? >> >>>> >> >>>> >> >>>> >> >>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <cl...@fewbar.com>: >> >>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700: >> >>>>>> Hi Kyle >> >>>>>> >> >>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery >> <mest...@noironetworks.com>: >> >>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno >> <na...@ntti3.com> >> >>>>>>wrote: >> >>>>>> >> Hi Zang >> >>>>>> >> >> >>>>>> >> Thank you for your contribution on this! >> >>>>>> >> The private key management is what I want to discuss in the >> >>>>>>summit. >> >>>>>> >> >> >>>>>> > Has the idea of using Barbican been discussed before? There > are >> >>>>>>many >> >>>>>> > reasons why using Barbican for this may be better than >> >>>>>> > developing >> >>>>>>key >> >>>>>> > management ourselves. >> >>>>>> >> >>>>>> No, however I'm +1 for using Barbican. Let's discuss this in >> >>>>>> certificate management topic in advanced service session. >> >>>>>> >> >>>>> >> >>>>> Just a suggestion: Don't defer that until the summit. Sounds > like >> >>>>>you've already got some consensus, so you don't need the summit >> >>>>>just to rubber stamp it. I suggest discussing as much as you can >> >>>>>right now on the mailing list, and using the time at the summit > to >> >>>>>resolve any complicated issues including any "a or b" things > that >> >>>>>need crowd-sourced idea making. You can also use the summit time >> >>>>>to communicate your requirements to the Barbican developers. >> >>>>> >> >>>>> Point is: just because you'll have face time, doesn't mean you >> >>>>> should use it for what can be done via the mailing list. >> >>>>> >> >>>>> _______________________________________________ >> >>>>> OpenStack-dev mailing list >> >>>>> OpenStack-dev@lists.openstack.org >> >>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >>>> >> >>>> _______________________________________________ >> >>>> OpenStack-dev mailing list >> >>>> OpenStack-dev@lists.openstack.org >> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >>> >> >>> _______________________________________________ >> >>> OpenStack-dev mailing list >> >>> OpenStack-dev@lists.openstack.org >> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> >>_______________________________________________ >> >>OpenStack-dev mailing list >> >>OpenStack-dev@lists.openstack.org >> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> > _______________________________________________ >> > OpenStack-dev mailing list >> > OpenStack-dev@lists.openstack.org >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev