Hi Simon, > I am currently looking at possibilities to manage the secrets in OpenXPKI and > there are various places where the usage of KeyNanny is being suggested. From > what I understand from the KeyNanny Quickstart guide, it is supposed to run > under Red Hat Linux, although the OpenXPKI guide recommends Debian. > > I built the rpm package and tried installing it using Alien, but that seems > to fail. Is it possible to use KeyNanny on Debian 8?
I am the guy who wrote KeyNanny. When I did so, my primary goal was actually to integrate it with OpenXPKI because one of our customers had a strict policy of not having cleartext passwords anywhere in the file system. I think KeyNanny beautifully solves this problem (in particular if backed by an HSM), and it also solves the problem of exchanging passwords between support groups. That said, KeyNanny and OpenXPKI work great together, we have a large productive installation of the combo at a customer running both together without problems since 2014. KeyNanny was developed on and for RPM based systems, as the primary target environment with its OpenXPKI installation is RPM-based. Up to now there was no requirement to package it for Debian or Ubuntu. KeyNanny itself is platform independent and will work on a number of Linux distributions. However integration with startup scripts/systems is sometimes required or desirable, in particular if subsystems without direct KeyNanny support shall use KeyNanny (e. g. like the Apache example). In the latter case, the startup scripts in the KeyNanny distribution use the approach of creating a RAM Disk and rendering the subsystem's config file with the password taken from KeyNanny on the RAM Disk. This is done in the startup script, outside of KeyNanny. It is absolutely possible to do the same in Debian or Ubuntu, but, again, nobody asked for this yet. As you know the OpenXPKI Community Edition is distributed for Debian. Our OpenXPKI "Enterprise Edition", however, is packaged for the major distributions (RedHat RHEL, SuSE SLES, Ubuntu 18 LTS) by our company White Rabbit Security. In all our previous installations, KeyNanny was always coupled with the OpenXPKI Enterprise Edition on an RPM based system. Bottom line, if you wish to get OpenXPKI CE running with KeyNanny there are several options: - somehow install KeyNanny on the target platform (Alien or barebone install without packaging) - create Debian packages yourself (we'd appreciate pull requests, of course) - get in touch with White Rabbit Security to discuss possible solutions Best regards, Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
