Hi Pawel, Am 11.09.2014 um 12:37 schrieb Pawel Tomulik:
> https://openxpki.readthedocs.org/en/latest/reference/configuration/realm.html#crypto-layer > > As I understand, the docs say: > > 1. Literal secrets provide no safety at all You inherit the security of your operating system - with a a stock setup that means that anybody with root access (or hardware access!) can extract your private tokens. > 2. Plain secrets require operator's intervention after every reboot, for > each realm. Yes. > 3. Split secrets are not implemented? Split secrets are implemented, but the "split" here does not refer to cover multiple realms but to have multiple password parts for a single token. > I have currently 12 realms, is there a way to be on the relatively safe > and survive daemon reboots without need to log into each of 12 realms > evertime? I don't assume that my daemons will have 1000 day uptime, for > example I may need to stop them everynight to make a consistent system > backup. OXI "inline" there is no method to share a secret for now. But we have a nice OSS product that might be what you are looking for =) Its called Keynanny and it is currently rolled out at another customer. We use it there to protected database and ldap credentials and seamlessly it fits into the config system of OXI. I dont have a package nor an easy "how to" guide - I hope it will hit the public till the next two or three month, if you need it faster you either need to spend some manual work or might consider to get commercial support to get it implemented. > Am I right, that "Your system is critical" message suggest me, that > without signer's secret available, the whole machinery actually doesn't > work (automatic CRL updates/issuance for example?). Yes - no secret means no private key ops, so no certificates or CRLs (and in case of a protected SCEP token even no SCEP operation!). However, the system will not crash, but put the workflows on hold until the token is available and retry it for a configured period of time (look at the retry* paramaters in the workflows action definition). Oli -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
