Re: [DISCUSS][PROPOSAL] CA authority plugin definition
I’d suggest taking a look at using Dogtag[1] as well. Actually, that’s what the Other Guys also suggest[2]. 1: http://pki.fedoraproject.org/wiki/PKI_Main_Page <http://pki.fedoraproject.org/wiki/PKI_Main_Page> 2: https://wiki.openstack.org/wiki/PKI <https://wiki.openstack.org/wiki/PKI> > On Apr 14, 2017, at 7:57 AM, Simon Weller <swel...@ena.com> wrote: > > Daan, > > > What about integrating some like Vault (https://github.com/hashicorp/vault > <https://github.com/hashicorp/vault>)? > > > - Si > > > From: Daan Hoogland <daan.hoogl...@shapeblue.com > <mailto:daan.hoogl...@shapeblue.com>> > Sent: Friday, April 14, 2017 5:46 AM > To: dev@cloudstack.apache.org <mailto:dev@cloudstack.apache.org> > Subject: [DISCUSS][PROPOSAL] CA authority plugin definition > > Devs, > > Following a discussion with a client they came up with the idea to create a > pluggable CA-framework. A plugin would serve components in cloudstack that so > require (management servers, agents, load balancers, SVMs, etc.) with > certificates answering certificate requests and validating certificates on > request. > > A default plugin can be written that serves according to its own self signed > root certificate and have its own revocation list to be managed by the admin. > Other plugin could forward by mail or web requests to external parties. > > A CA-plugin will have to > > - Setup, for the default this means creating its certificate, for > others it might mean install an intermediate certificate or configure a mail, > or website address. > > - Accept and answer certificate requests > > oFor client certificates > > oFor server certificates > > - Accept revocation requests > > - Validate a connection request according to origin and certificate > and . What extra data is is defined by the plugin and can be > credentials or field-definitions referring the x509 entries or for instance > port numbers allowed… this is basically free to the implementer. > > A next step will have to be integrating the request calls with installs on > targets but I think as is this feature merits itself as it could be used with > out of band configuration management tools as well. > > Any thoughts, remarks and critiques are welcome, > > daan.hoogl...@shapeblue.com > www.shapeblue.com <http://www.shapeblue.com/><http://www.shapeblue.com > <http://www.shapeblue.com/>> > Shapeblue - The CloudStack Company<http://www.shapeblue.com/ > <http://www.shapeblue.com/>> > www.shapeblue.com <http://www.shapeblue.com/> > Background Cloudstack relies on a fixed download site when it fetches the > built-in guest VM templates. That download site has historically > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue
Re: [DISCUSS][PROPOSAL] CA authority plugin definition
Yeah, I agree it would be better as a plugin. We feel a big thing missing in ACS right now is a KMS style service. From: Daan Hoogland <daan.hoogl...@shapeblue.com> Sent: Friday, April 14, 2017 10:05 AM To: dev@cloudstack.apache.org Subject: Re: [DISCUSS][PROPOSAL] CA authority plugin definition Simon, I can think of use cases for that and it is an interesting topic. I can also see it as being implemented in a CA-plugin. I do not think it should be in the base of this framework though. That would complicate cloudstack for simple users to much I think. On the other hand, it would have more use cases then just for CA-plugins (fantasy running now) On 14/04/17 16:57, "Simon Weller" <swel...@ena.com> wrote: Daan, What about integrating some like Vault (https://github.com/hashicorp/vault)? [https://avatars2.githubusercontent.com/u/761456?v=3=400]<https://github.com/hashicorp/vault> GitHub - hashicorp/vault: A tool for managing secrets.<https://github.com/hashicorp/vault> github.com README.md Vault . Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please ... - Si From: Daan Hoogland <daan.hoogl...@shapeblue.com> Sent: Friday, April 14, 2017 5:46 AM To: dev@cloudstack.apache.org Subject: [DISCUSS][PROPOSAL] CA authority plugin definition Devs, Following a discussion with a client they came up with the idea to create a pluggable CA-framework. A plugin would serve components in cloudstack that so require (management servers, agents, load balancers, SVMs, etc.) with certificates answering certificate requests and validating certificates on request. A default plugin can be written that serves according to its own self signed root certificate and have its own revocation list to be managed by the admin. Other plugin could forward by mail or web requests to external parties. A CA-plugin will have to - Setup, for the default this means creating its certificate, for others it might mean install an intermediate certificate or configure a mail, or website address. - Accept and answer certificate requests oFor client certificates oFor server certificates - Accept revocation requests - Validate a connection request according to origin and certificate and . What extra data is is defined by the plugin and can be credentials or field-definitions referring the x509 entries or for instance port numbers allowed… this is basically free to the implementer. A next step will have to be integrating the request calls with installs on targets but I think as is this feature merits itself as it could be used with out of band configuration management tools as well. Any thoughts, remarks and critiques are welcome, daan.hoogl...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com> Shapeblue - The CloudStack Company<http://www.shapeblue.com/> www.shapeblue.com Background Cloudstack relies on a fixed download site when it fetches the built-in guest VM templates. That download site has historically Shapeblue - The CloudStack Company<http://www.shapeblue.com/> Shapeblue - The CloudStack Company<http://www.shapeblue.com/> www.shapeblue.com Background Cloudstack relies on a fixed download site when it fetches the built-in guest VM templates. That download site has historically www.shapeblue.com<http://www.shapeblue.com> Background Cloudstack relies on a fixed download site when it fetches the built-in guest VM templates. That download site has historically 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue daan.hoogl...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
Re: [DISCUSS][PROPOSAL] CA authority plugin definition
Simon, I can think of use cases for that and it is an interesting topic. I can also see it as being implemented in a CA-plugin. I do not think it should be in the base of this framework though. That would complicate cloudstack for simple users to much I think. On the other hand, it would have more use cases then just for CA-plugins (fantasy running now) On 14/04/17 16:57, "Simon Weller" <swel...@ena.com> wrote: Daan, What about integrating some like Vault (https://github.com/hashicorp/vault)? - Si From: Daan Hoogland <daan.hoogl...@shapeblue.com> Sent: Friday, April 14, 2017 5:46 AM To: dev@cloudstack.apache.org Subject: [DISCUSS][PROPOSAL] CA authority plugin definition Devs, Following a discussion with a client they came up with the idea to create a pluggable CA-framework. A plugin would serve components in cloudstack that so require (management servers, agents, load balancers, SVMs, etc.) with certificates answering certificate requests and validating certificates on request. A default plugin can be written that serves according to its own self signed root certificate and have its own revocation list to be managed by the admin. Other plugin could forward by mail or web requests to external parties. A CA-plugin will have to - Setup, for the default this means creating its certificate, for others it might mean install an intermediate certificate or configure a mail, or website address. - Accept and answer certificate requests oFor client certificates oFor server certificates - Accept revocation requests - Validate a connection request according to origin and certificate and . What extra data is is defined by the plugin and can be credentials or field-definitions referring the x509 entries or for instance port numbers allowed… this is basically free to the implementer. A next step will have to be integrating the request calls with installs on targets but I think as is this feature merits itself as it could be used with out of band configuration management tools as well. Any thoughts, remarks and critiques are welcome, daan.hoogl...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com> Shapeblue - The CloudStack Company<http://www.shapeblue.com/> www.shapeblue.com Background Cloudstack relies on a fixed download site when it fetches the built-in guest VM templates. That download site has historically 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue daan.hoogl...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
Re: [DISCUSS][PROPOSAL] CA authority plugin definition
Daan, What about integrating some like Vault (https://github.com/hashicorp/vault)? - Si From: Daan Hoogland <daan.hoogl...@shapeblue.com> Sent: Friday, April 14, 2017 5:46 AM To: dev@cloudstack.apache.org Subject: [DISCUSS][PROPOSAL] CA authority plugin definition Devs, Following a discussion with a client they came up with the idea to create a pluggable CA-framework. A plugin would serve components in cloudstack that so require (management servers, agents, load balancers, SVMs, etc.) with certificates answering certificate requests and validating certificates on request. A default plugin can be written that serves according to its own self signed root certificate and have its own revocation list to be managed by the admin. Other plugin could forward by mail or web requests to external parties. A CA-plugin will have to - Setup, for the default this means creating its certificate, for others it might mean install an intermediate certificate or configure a mail, or website address. - Accept and answer certificate requests oFor client certificates oFor server certificates - Accept revocation requests - Validate a connection request according to origin and certificate and . What extra data is is defined by the plugin and can be credentials or field-definitions referring the x509 entries or for instance port numbers allowed… this is basically free to the implementer. A next step will have to be integrating the request calls with installs on targets but I think as is this feature merits itself as it could be used with out of band configuration management tools as well. Any thoughts, remarks and critiques are welcome, daan.hoogl...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com> Shapeblue - The CloudStack Company<http://www.shapeblue.com/> www.shapeblue.com Background Cloudstack relies on a fixed download site when it fetches the built-in guest VM templates. That download site has historically 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
[DISCUSS][PROPOSAL] CA authority plugin definition
Devs, Following a discussion with a client they came up with the idea to create a pluggable CA-framework. A plugin would serve components in cloudstack that so require (management servers, agents, load balancers, SVMs, etc.) with certificates answering certificate requests and validating certificates on request. A default plugin can be written that serves according to its own self signed root certificate and have its own revocation list to be managed by the admin. Other plugin could forward by mail or web requests to external parties. A CA-plugin will have to - Setup, for the default this means creating its certificate, for others it might mean install an intermediate certificate or configure a mail, or website address. - Accept and answer certificate requests oFor client certificates oFor server certificates - Accept revocation requests - Validate a connection request according to origin and certificate and . What extra data is is defined by the plugin and can be credentials or field-definitions referring the x509 entries or for instance port numbers allowed… this is basically free to the implementer. A next step will have to be integrating the request calls with installs on targets but I think as is this feature merits itself as it could be used with out of band configuration management tools as well. Any thoughts, remarks and critiques are welcome, daan.hoogl...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue