On 08/09/2016 05:11 PM, Adam Young wrote:
The Fernet token format uses a symmetric key to sign tokens. In order
to check the signature, these keys need to be synchronized across all
of the Keystone servers.
I don't want to pass around nake symmetric keys. The right way to do
this is to put them into a PKCS 11 Envelope. Roughly, this:
1. Each server generates a keypair and sends the public key to the
undercloud
2. undercloud generates a Fernet key
3. Undercloud puts the Fernet token into a PKCS11 document signed
with the overcloud nodes public key
4. Undercloud posts the PKCS11 data to metadata
Sorry, PKCS12. Not 11.
5. os-*config Node downloads and stores the proper PKCS11 data
6. Something unpackst the pkcs11 data and puts the key into the
Fernet key store
That last step needs to make use of the keystone-manage fernet_rotate
command.
How do we go about making this happen? The key rotations should be
scheduled infrequently; let me throw out monthly as a starting point
for the discussion, although that is probably way too frequent. How
do we schedule this? Is this a new stack that depends on the Keystone
role?
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
[email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
