Using Barbican services

Barbican:¶

Barbican is an OpenStack Key Manager service. It provides secure storage, sharing, and management of secret data such as passwords, encryption keys, and X.509 certificates.

Assumptions:¶

An SSL certificate is stored in the Barbican service. Encrypted HTTPS connections are accepted by a load balancer (haproxy), and connections from haproxy to the "real servers" are made in an unencrypted manner within a secure environment.

To complete this task, a DNS name must be purchased in the global DNS system or use a name in the domain man.poznan.pl, which is automatically generated for each external IP address.

For the purposes of this guide, we will use a certificate from the domain man.pozan.pl

Environment Setup:¶

In the OpenStack web panel, create two instances that will have an external floating IP address added. Create a security group for the instances that allows traffic on ports 443 and 80.
Example configuration:

For configuration of the above assumptions, follow these guides: - https://docs.psnc.pl/pages/viewpage.action?pageId=130287749 - https://docs.psnc.pl/pages/viewpage.action?pageId=117372270 - https://docs.psnc.pl/pages/viewpage.action?pageId=117372677

What name can I use in the domain man.poznan.pl?¶

Create an external floating IP address, which will be used for the load balancer. Use the nslookup tool to verify the A record → Generate an SSL certificate for this name.

Applying for an SSL Certificate:¶

Generate the certificate following the instructions here →https://wiki.man.poznan.pl/wiki/Pion_Us%C5%82ug_Sieciowych/TCS

System Configuration:¶

apt

sudo su –
apt update
apt upgrade
apt install mc apache2

Create a directory and index.html file with the site content.

mkdir /var/www/mojastrona
echo SerwerA > /var/www/mojastrona/index.html # Dla serwera A
echo SerwerB > /var/www/mojastrona/index.html # Dla serwera B

Create a site configuration file.

touch  /etc/apache2/sites-enabled/strona.domena.pl.conf
mcedit  /etc/apache2/sites-enabled/strona.domena.pl.conf

<VirtualHost *:80>
DocumentRoot /var/www/mojastrona

ServerName www.origanum-48.man.poznan.pl
ServerAlias origanum-48.man.poznan.pl

ServerAdmin admin@test.pl
</VirtualHost>

Adding the Certificate to Barbican Service.¶

Before starting the procedure, create a ServiceDesk ticket to grant the appropriate permissions in OpenStack (creator role) https://support.pcss.pl/servicedesk/customer/portal/6

To properly handle the certificate, create a PKCS12 file.

Syntax:
openssl pkcs12 -export -inkey private_key.key -in certificate.cer -certfile 'CA_certificate.cer' -out file_name.p12

Example:
openssl pkcs12 -export -inkey origanum-48.man.poznan.pl.key -in origanum-48_man_poznan_pl_cert.cer -certfile 'origanum-48_man_poznan_pl_interm (1).cer' -out origanum48.man.poznan.pl.p12

Adding the Certificate¶

Connect to the project using the RC file (CLI Client Configuration for OpenStack - For Linux (Ubuntu)

Command syntax:
openstack secret store --name='name' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < path_to_certificate.p12)"

Example:
openstack secret store --name='origanum48.man.poznan.pl' -t 'application/octet-stream' -e 'base64' --payload="$(base64 < origanum48.man.poznan.pl.p12)"