Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation / Security Guide / Key Management Service Administration
Applies to SUSE OpenStack Cloud 9

3 Key Management Service Administration

3.1 Post-installation verification and administration

In a production environment, you can verify your installation of the barbican key management service by running the barbican-status.yml Ansible playbook on the Cloud Lifecycle Manager node.

ansible-playbook -i hosts/verb_hosts barbican-status.yml

In any non-production environment, along with the playbook, you can also verify the service by storing and retrieving the secret from barbican.

3.2 Updating the barbican Key Management Service

Some barbican features and service configurations can be changed. This is done using the Cloud Lifecycle Manager Reconfigure Ansible playbook. For example, the log level can be changed from INFO to DEBUG and vice-versa. If needed, this change can be restricted to a set of nodes via the playbook's host limit option. barbican administration tasks should be performed by an admin user with a token scoped to the default domain via the keystone identity API. These settings are preconfigured in the barbican.osrc file. By default, barbican.osrc is configured with the admin endpoint. If the admin endpoint is not accessible from your network, change OS_AUTH_URL to point to the public endpoint.

3.3 barbican Settings

The following barbican configuration settings can be changed:

  • Anything in the main barbican configuration file: /etc/barbican/barbican.conf

  • Anything in the main barbican worker configuration file: /etc/barbican/barbican-worker.conf

You can also update the following configuration options and enable the following features. For example, you can:

  • Change the verbosity of logs written to barbican log files (/var/log/barbican/).

  • Enable and disable auditing of the barbican key management service

  • Edit barbican_secret_store plug-ins. The two options are:

    • store_crypto used to store the secrets in the database

    • kmip_plugin used to store the secrets into KMIP-enabled external devices

3.4 Enable or Disable Auditing of barbican Events

Auditing of barbican key manager events can be disabled or enabled by following steps on the Cloud Lifecycle Manager node.

  1. Edit the file ~/openstack/my_cloud/definition/cloudConfig.yml.

    All audit-related configuration is defined under audit-settings section. Valid YAML syntax is required when specifying values.

    Service name defined under enabled-services or disabled-services override the default setting (that is, default: enabled or default: disabled)

  2. To enable auditing, make sure that the barbican service name is listed in the enabled-services list of audit-settings section or is not listed in the disabled-services list when default: is set to enabled.

  3. To disable auditing for the barbican service specifically, make sure that barbican service name is in disabled-services list of the audit-settings section or is not present in the enabled-services list when default: is set to disabled. You should not specify the service name in both lists. If it is specified in both, the enabled-services list takes precedence.

  4. Commit the change in git repository.

    cd ~/openstack/ardana/ansible
    git add -A
    git commit -m "My config"
  5. Run the configuration-processor-run and ready-deployment playbooks, followed by the barbican-reconfigure playbook:

    cd ~/openstack/ardana/ansible/
    ansible-playbook -i hosts/localhost config-processor-run.yml
    ansible-playbook -i hosts/localhost ready-deployment.yml
    cd ~/scratch/ansible/next/ardana/ansible
    ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml

3.5 Updating the barbican API Service Configuration File

  1. The barbican API service configuration file (/etc/barbican/barbican.conf), located on each control plane server (controller node) is generated from the following template file located on the Cloud Lifecycle Manager node: /var/lib/ardana/openstack/my_cloud/config/barbican/barbican.conf.j2. Modify this template file as appropriate. This is a Jinja2 template, which expects certain template variables to be set. Do not change values inside double curly braces: {{ }}.

  2. Once the template is modified, copy the files to ~/openstack/my_cloud/definition/, and commit the change to the local git repository:

    cp -r ~/hp-ci/padawan/* ~/openstack/my_cloud/definition/
    cd ~/openstack/ardana/ansible
    git add -A
    git commit -m "My config"
  3. Then rerun the configuration processor and ready-deployment playbooks:

    cd ~/openstack/ardana/ansible
    ansible-playbook -i hosts/localhost config-processor-run.yml
    ansible-playbook -i hosts/localhost ready-deployment.yml
  4. Finally, run the barbican-reconfigure playbook in the deployment area:

    cd ~/scratch/ansible/next/ardana/ansible
    ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml

3.6 Starting and Stopping the barbican Service

You can start or stop the barbican service from the Cloud Lifecycle Manager nodes by running the appropriate Ansible playbooks:

To stop the barbican service:

cd ~/scratch/ansible/next/ardana/ansible
ansible-playbook -i hosts/verb_hosts barbican-stop.yml

To start the barbican service:

cd ~/scratch/ansible/next/ardana/ansible
ansible-playbook -i hosts/verb_hosts barbican-start.yml

3.7 Changing or Resetting a Password

To change the password for the barbican administrator:

  1. Copy the file as shown below:

    cp ~/openstack/my_cloud/info/private_data_metadata_ccp.yml \
      ~/openstack/change_credentials/
  2. Then edit private_data_metadata_ccp.yml found here:

    ~/openstack/change_credentials/private_data_metadata_ccp.yml
  3. Change credentials for the barbican admin user and/or barbican service user. Remove everything else. The file will look similar to this:

    barbican_admin_password:
        value: 'testing_123'
        metadata:
        - clusters:
            - cluster1
            component: barbican-api
            cp: ccp
        version: '2.0'
    barbican_service_password:
        value: 'testing_123'
        metadata:
        - clusters:
            - cluster1
            component: barbican-api
            cp: ccp
        version: '2.0'

    The value (shown in bold) is optional; it is used to set a user-chosen password. If left blank, the playbook will generate a random password.

  4. Execute the following playbooks from ~/openstack/ardana/ansible/:

    cd ~/openstack/ardana/ansible/
    ansible-playbook -i hosts/localhost config-processor-run.yml -e encrypt="" -e rekey=""
    ansible-playbook -i hosts/localhost ready-deployment.yml
    cd ~/scratch/ansible/next/ardana/ansible
    ansible-playbook -i hosts/verb_hosts barbican-reconfigure-credentials-change.yml
  5. SSH to the controller and make sure the password has been properly updated.

    /etc/barbican# vi barbican-api-paste.ini

3.8 Checking Barbican Status

You can check the status of barbican by running the barbican-status.yml Ansible playbook on the Cloud Lifecycle Manager node.

ansible-playbook -i hosts/verb_hosts barbican-status.yml
Note
Note

Make sure you remove/delete ~/openstack/change_credentials/private_data_metadata.yml after successfully changing the password.

3.9 Updating Logging Configuration

All barbican logging is set to INFO by default. To change the level from the Cloud Lifecycle Manager, there are two options available

  1. Edit the barbican configuration file, /barbican_deploy_config.yml, in the following directory.

    ~/openstack/my_cloud/config/barbican/

    To change log level entry (barbican_loglevel) to DEBUG, edit the entry:

    barbican_loglevel = {{ openstack_loglevel | default('DEBUG') }}

    To change the log level to INFO, edit the entry:

    barbican_loglevel = {{ openstack_loglevel | default('INFO') }}
  2. Edit file ~/openstack/ardana/ansible/roles/KEYMGR-API/templates/api-logging.conf.j2 and update the log level accordingly.

Commit the change to the local git repository:

cd ~/openstack/ardana/ansible
git add -A
git commit -m "My config"

Run the configuration-processor-run and ready-deployment playbooks, followed by the barbican-reconfigure playbook:

ansible-playbook -i hosts/localhost config-processor-run.yml
ansible-playbook -i hosts/localhost ready-deployment.yml
cd ~/scratch/ansible/next/ardana/ansible
ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml