WIXLIB

2 Key Management with the Barbican Service2.1 Barbican Service OverviewBarbican is an OpenStack key management service o ering secure storage, provisioning, andmanagement of key data. The Barbican service provides management of secrets, keys andcerti cates via multiple storage back-ends. The support for various back ends is provided viaa plug-in mechanism, a Key Management Interoperability Protocol (KMIP) plug-in for a KMIPcompliant HSM Hardware Secure Module (HSM) device. Barbican supports symmetric andasymmetric key generation using various algorithms. Cinder, neutron-lbaas v2 and Nova willintegrate with Barbican for their encryption key generation and storage.Barbican has two types of core feature sets:The Barbican component, a Web Server Gateway Interface (WSGI) application that exposesa REST API for secrets/containers/orders.Barbican workers for asynchronous processing, which is used for various messaging-eventdriven tasks related to certi cate generation.2.2 Key FeaturesThe major features of the Barbican key management service are:The ability to encrypt volumes/disks. In an OpenStack context, this means support forencrypting Cinder volumes (volume encryption). Cinder has its own key manager interface(KeyMgr) and can use BarbicanClient as one of its implementations. By default in HPEHelion OpenStack 8, Cinder uses Barbican as its key manager when Barbican is enabled.KeyMgr encrypts data in the virtualization host before writing data to the remote disk.There are three options available in HPE Helion OpenStack:Tenant-based encryption for block volume storage using Barbican for KMS,Barbican with KMIP and PKCS11 and external KMS (certi ed with Micro FocusESKM),3PAR StoreServ Data-At-Rest Encryption,Storage and retrieval of secrets (passwords)4Barbican Service OverviewHPE Helion OpenStack 8

Certi cate management for Load Balancer as a Service V2 (previously known as NeutronLBaaS)The ability to de ne and manage access policies for key materialAdministrative functionality, and the ability to control the lifecycle of key materialA well-de ned auditing ability in OpenStack services for key access and lifecycle eventsKey management as a service for PaaS application(s) deployed on an OpenStack cloudThe ability to scale key management e ectively and make it highly available (able tohandle failover)WarningDo not delete the certi cate container associated with your load balancer listeners beforedeleting the load balancers themselves. If you delete the certi cate rst, future operationson your load balancers and failover will stop working.2.3 InstallationNew installations of HPE Helion OpenStack 8:For new installations, no changes are needed for Barbican to be enabled. When installingyour cloud, you should use the input models which already de ne the necessary Barbicancomponents. When using the pre-de ned input model les that come with HPE HelionOpenStack 8, nothing else needs to be done in those les.Generate a master key.WarningDo not change your master key after deploying it to Barbican.If you decide to make con guration changes to your clean install of HPE Helion OpenStack8, you will need to redeploy the Barbican service. For details on available customizationoptions, please see Chapter 3, Key Management Service Administration.5InstallationHPE Helion OpenStack 8

Master Key ConfigurationBarbican currently supports databases and KMIP as its secret store back-ends. In OpenStackupstream additional back-ends are available, such as the PKCS11 and dogtag plug-ins, but theyare not tested or supported by HPE Helion OpenStack.In HPE Helion OpenStack, by default Barbican is con gured to use a database as a secret (keys)storage back-end. This back-end encrypts Barbican-managed keys with a project level key (KEK/Key Encryption Key) before storing it in the database. Project-level keys are encrypted usinga master key. As part of the initial Barbican con guration, you must generate and con gurethis master key.When Barbican is used with simple crypto plugin as its secret store back-end, its master keyneeds to be de ned before initial deployment. If no key is speci ed before deployment, thedefault master key is used—this practice is discouraged.1. Generate the master key using the provided python *generate kek* script on the CloudLifecycle Manager node:python es/generate kekThe master key is generated at stdout from this command.2. Setthemasterkeybarbican deploy config.yml .in /openstack/my cloud/config/barbican/3. If there is an existing barbican customer master key value, replace it with thegenerated master key you just generated.4. Commit the change to the Git repository:cd /openstackgit add -Agit commit -m "My config"5. Run ready-deployment:cd /openstack/ardana/ansible/ansible-playbook -i hosts/localhost ready-deployment.yml6. When the master key is set, continue with your cloud deployment.6InstallationHPE Helion OpenStack 8

Upgrade Master Key Configuration1. Check the master key.Ifamasterkeyisalreadyde ned,check rs/barbican deploy config.ymlforbarbican customer master key value. If the value does not have a pre x @ardana@ ,it is not encrypted. It is highly recommended to encrypt this value.2. Encrypt the existing key during upgrade:a. Set up the environment variable.ARDANA USER PASSWORD ENCRYPT KEYwhich contains the key used to encrypt Barbican master key.b. Before you run any playbooks, you need to export the encryption key in the followingenvironment variable:i. export ARDANA USER PASSWORD ENCRYPT KEY USER ENCRYPTION KEY ii. python*roles/KEYMGR-API/templates/generate kek barbican customer master key iii. Master key is generated at stdout.iv. Set this master key in le rs/barbican deploy config.ymlv. Replace existing barbican customer master key value with the master keyyou just generated.vi. Commit the change in git repository.vii. cd /openstack/ardana/ansible/ansible-playbook -i hosts/localhost ready-deployment.ymlviii. When the master key is set, continue with cloud deployment.7InstallationHPE Helion OpenStack 8

3. Changing the master key during the upgrade process is discouraged. Changing the masterkey will result in a read error for existing secrets as they were encrypted using the previousmaster key.NoteFor a Barbican deployment with a database back-end, the master key needs to begenerated and con gured before Barbican is deployed for the rst time. Once the masterkey is set, it must not be modi ed.NoteChanging the master key can result in read errors for existing secrets as those secretsare stored in the database and are encrypted using the previous master key. Once a newmaster key is used, Barbican will not be able to read those secrets. Also it will not be ableto create new secrets within that project as the project key is encrypted using previousmaster key.KMIP Plug-in SupportBarbican has a KMIP plug-in to store encryption keys (called secrets in Barbican serviceterminology) in an HSM device using the KMIP protocol. This plug-in has been tested againstMicro Focus ESKM with KMIP server. To enable support for it, Barbican needs to be con guredwith the corresponding plug-in connection details, and client certi cate information needs tobe de ned in its con guration. The ESKM KMIP server uses a client certi cate to validate aKMIP client connection established by the Barbican server. As part of that KMIP con guration,playbooks provide a mechanism to upload your client certs to nodes hosting the Barbican APIserver.KMIP deployment instructions can be found in Section 12.1, “Configuring KMIP and ESKM”.NoteInstallation and deployment of the Micro Focus ESKM or any other HSM devicesand dependent components is beyond the scope of this document. Please referthe relevant documentation for your choice of product. For example, you can get8InstallationHPE Helion OpenStack 8

more information on Micro Focus ESKM and related Data Security and EncryptionProducts at m-enterprise-secure-keymanagement/overview.2.4 Auditing Barbican EventsThe Barbican service supports auditing and uses Chapter 14, Security Audit Logs to generateauditing data in Cloud Auditing Data Federation (CADF) format. The HPE Helion OpenStackinput model has a mechanism to enable and disable auditing on a per-service basis. WhenBarbican auditing is enabled, it writes audit messages to an audit log le that is separate fromthe Barbican internal logging. The base location of audit log le is driven by common auditingcon guration.Enabling and Disabling AuditingThe auditing of Barbican events can be enabled and disabled through the Barbican recon gureplaybook. As part of the con guration of Barbican, its audit messages can be directed to a logor to a messaging queue. By default, messages are written to the Barbican log le. Once anarchitecture-level decision is made with regards to the default consumer of audit events (eitherlogging or messaging), the Barbican service can be con gured to use it as the default optionwhen auditing is enabled.Auditing can be disabled or enabled by following these steps on the Cloud Lifecycle Managernode.PROCEDURE 2.1: ENABLING OR DISABLING AUDITING1. Edit the le /openstack/my cloud/definition/cloudConfig.yml . All audit-relatedcon guration is de ned in the audit-settings section. You must use valid YAML syntaxwhen specifying values.2. Any service (including Barbican) that is listed under enabled-services or disabled-serviceswill override the default setting. To enable auditing, make sure that the Barbican servicename is in the enabled-services list of the audit-settings section or is not present indisabled-services list when default: is set to enabled.The relevant section of cloudConfig.yml is shown below. Enabled-services arecommented out.9Auditing Barbican EventsHPE Helion OpenStack 8

The default: enabled setting applies to all services. If you want to disable (or enable)a few, whichever is the opposite of the default global setting you used, you can do so ina disabled-services (or enabled-services) section below it. Here the enabled-services entryis commented out. You should only have either a default of enabled (or disabled) or asection of disabled (or enabled). There is no need to duplicate the setting.audit-settings:default: enabled#enabled-services:#- keystone#- barbicandisabled-services:- nova- barbican- keystone- cinder- ceilometer- neutron3. When you are satis ed with your settings, copy the les to /openstack/my cloud/definition/ , and commit the changes in the git repository. For example, if you areusing the Entry Scale KVM model, you would copy from /openstack/examples/entryscale-kvm and commit.cp -r /openstack/examples/entry-scale-kvm/* /openstack/my cloud/definition/cd /openstackgit add -Agit commit -m "My config"4. Run the con guration processor and ready-deployment:cd /openstack/ardana/ansible/ansible-playbook -i hosts/localhost config-processor-run.ymlansible-playbook -i hosts/localhost ready-deployment.yml5. Run barbican-recon gure:cd ok -i hosts/verb hosts barbican-reconfigure.yml10Auditing Barbican EventsHPE Helion OpenStack 8

2.5 Barbican Key Management Service BootstrapDataWhen the key management service is installed, some of the Keystone-related initial data isbootstrapped as part of its initial deployment. The data added is primarily related to Barbicanuser, roles, service and endpoint de nitions, and Barbican role assignments.User, Roles, Service and Endpoint DefinitionsType Nameor countBarbican user account associatedwith administrative privileges.Password is randomly generatedand made available in the Barbicanclient environment setup script,barbican.osrc, , on the CloudLifecycle Manager node.Keystonebarbican serviceService account used for KeystonePassword is randomly generatedAccountcon guration, barbican-api-UserKeystonekey-token validation by barbicanservice.and stored in barbican pastepaste.ini .Barbican speci c role withThis role has the same privilegesdelete keys and certi cates.upstream Barbican. ReferencedRole manager:creatorprivilege to create, modify, list, and de ned for creator role inin the service policy con g le,policy.json .Keystonekey-Barbican-speci c role that hasThis role has the same privilegesinclude modi cations (update andBarbican. Referenced in the serviceRole manager:adminadministrative privileges. Privileges de ned for admin role in upstreamdelete) in container's consumer,11policy con g le, policy.json .Barbican Key Management Service Bootstrap DataHPE Helion OpenStack 8

Type Nameor Purposekey-valueCommentspairtransport keys, certi cateauthorities (CA), assignment, andmanagement of per-project CA.Keystonekey-Barbican speci c role which hasThis role has the same privilegeskeys, certi cates.upstream Barbican. ReferencedRole manager:observerprivileges limited to read/list ofde ned for observer role inin the service policy con g le,policy.json .Keystonekey-Barbican speci c role which hasThis role has the same privilegesmetadata of keys, certi cates.upstream Barbican. ReferencedRole manager:auditorprivileges limited to readingThis role does not allow readingand listing of actual keys andcerti cates.Keystonekey-de ned for auditor role inin the service policy con g le,policy.json .Barbican speci c role which hasThis role has the sameCA and modify default projectmanager:service-admin role inRole manager:serviceprivilege to modify global preferred privileges de ned for keyadminquotas.upstream Barbican. Referencedin the service policy con g le,policy.json .Keystonename:Servicebarbicantype: key-Barbican service de nition. Servicetype is nalregion:region112Barbican internal endpoint. This isthe load-balanced endpoint exposedfor internal service usage.Barbican Key Management Service Bootstrap DataHPE Helion OpenStack 8

Type Nameor ointpublicregion:Barbican public endpoint. This isthe load-balanced endpoint exposedfor external/public service usage.region1Role AssignmentsUserProjectRole namePurposename namebarbicanadmin key-manager:admin User is assigned Barbican administration privileges onKeystone-de ned admin project. This allows the user tomanage Barbican resources associated with that projectusing the Barbican CLI setup.barbicanadmin key-manager:serviceadminUser is assigned Barbican service administrationprivileges on Keystone-de ned admin project. Thisrole and the one above allows full Barbican-relatedadministration capabilities.barbicanadmin adminUser assigned Keystone de ned administrative role onits admin project. This way customer can continue touse Barbican CLI and OpenStack CLI without need toswitch when testing or verifying data.admin admin key-manager:admin Keystone-de ned admin user is given Barbican relatedadministrative privileges on Keystone-de ned adminproject.admin admin key-manager:serviceadmin13In lines of above role assignment, Barbican speci cservice administrator role is assigned to allow globalpreferred CA and quotas modi cations.Barbican Key Management Service Bootstrap DataHPE Helion OpenStack 8

UserProjectRole namename namebarbican serviceservicesservicePurposeBarbican service account is given service role onservices project for token validation. API server usesthis for creating scoped service token and then includesit as X-Service-Token when requesting customer/client token validation from Keystone.2.6 Known issues and workarounds1. Make sure that in your Certi cate Signing Request (CSR) Commonthebarbican kmip usernamevalue de ned inName matchesroles/barbican-common/vars/barbican deploy config.yml . Otherwise you may see an internal server error messagein Barbican for secret create request.2. Barbican does not return a clear error message with regards to client certi cate setupand its connectivity with KMIP server. During secret create request, a general "InternalServer Error" is returned when the certi cate is invalid or missing any of necessary clientcerti cate data (client certi cate, key and CA root certi cate).14Known issues and workaroundsHPE Helion OpenStack 8

3 Key Management Service Administration3.1 Post-installation verification and administrationIn a production environment, you can verify your installation of the Barbican key managementservice by running the barbican-status.yml Ansible playbook on the Cloud LifecycleManager node.ansible-playbook -i hosts/verb hosts barbican-status.ymlIn any non-production environment, along with the playbook, you can also verify the serviceby storing and retrieving the secret from Barbican.3.2 Updating the Barbican Key Management ServiceSome Barbican features and service con gurations can be changed. This is done using the CloudLifecycle Manager Recon gure Ansible playbook. For example, the log level can be changedfrom INFO to DEBUG and vice-versa. If needed, this change can be restricted to a set of nodesvia the playbook's host limit option. Barbican administration tasks should be performed by anadmin user with a token scoped to the default domain via the Keystone identity API. Thesesettings are precon gured in the barbican.osrc le. By default, barbican.osrc is con guredwith the admin endpoint. If the admin endpoint is not accessible from your network, changeOS AUTH URL to point to the public endpoint.3.3 Barbican SettingsThe following Barbican con guration settings can be changed:Anything in the main Barbican con guration le: /etc/barbican/barbican.confAnything in the main Barbican worker con guration le: on verification and administrationHPE Helion OpenStack 8

You can also update the following con guration options and enable the following features. Forexample, you can:Change the verbosity of logs written to Barbican log les ( var/log/barbican/ ).Enable and disable auditing of the Barbican key management serviceEdit barbican secret store plug-ins. The two options are:store crypto used to store the secrets in the databasekmip plugin used to store the secrets into KMIP-enabled external devices3.4 Enable or Disable Auditing of Barbican EventsAuditing of Barbican key manager events can be disabled or enabled by following steps on theCloud Lifecycle Manager node.1. Edit the le /openstack/my cloud/definition/cloudConfig.yml .All audit-related con guration is de ned under audit-settings section. Valid YAMLsyntax is required when specifying values

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. . Overview1 1.1 Security features in HPE Helion OpenStack 8 1 1.2 Role-Based Access Control (RBAC) Support for Neutron Networks 1 1.3 Separate Service Administrator Role 1 1.4 Inter-service Password .