Difference between revisions of "Barbican/Blueprints/dogtag-plugin"
< Barbican | Blueprints
Lisa Clark (talk | contribs) (→References) |
|||
(9 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
* '''Launchpad Entry''': https://blueprints.launchpad.net/barbican/+spec/dogtag-plugin | * '''Launchpad Entry''': https://blueprints.launchpad.net/barbican/+spec/dogtag-plugin | ||
* '''Created''': 16-Jan-2014 | * '''Created''': 16-Jan-2014 | ||
− | * '''Updated''': | + | * '''Updated''': 31-Mar-2014 |
− | * '''Contributors''': John Wood, Chad Lung, Doug Mendizabal, Lisa Clark, | + | * '''Contributors''': John Wood, Chad Lung, Doug Mendizabal, Lisa Clark, Sheena Gregson, Ade Lee, Endi Dewata |
== Abstract == | == Abstract == | ||
Line 11: | Line 11: | ||
To support a RedHat DRM as a key management back-end, changes will be needed relative to 2 main workflows: | To support a RedHat DRM as a key management back-end, changes will be needed relative to 2 main workflows: | ||
− | + | ||
+ | '''<big>Creating a secret</big>''' | ||
+ | |||
[[File:CreateSecretUsingDogTagPlugin.png|none|center|Create Secret using DogTag Plugin]] | [[File:CreateSecretUsingDogTagPlugin.png|none|center|Create Secret using DogTag Plugin]] | ||
:NOTE: Between Barbican and DRM will be the DogTag plugin to integrate with DRM. | :NOTE: Between Barbican and DRM will be the DogTag plugin to integrate with DRM. | ||
− | + | ||
+ | '''<big>Retrieving a secret</big>''' | ||
+ | |||
[[File:SecretRetrievalWorkflow.png|none|center|Retrieving a Secret using DogTag Plugin]] | [[File:SecretRetrievalWorkflow.png|none|center|Retrieving a Secret using DogTag Plugin]] | ||
Line 29: | Line 33: | ||
# API | # API | ||
## New resource to retrieve a transport key and to use the crypto plugin to retrieve a transport key | ## New resource to retrieve a transport key and to use the crypto plugin to retrieve a transport key | ||
+ | ## Initial setup: During installation of a DogTag DRM, a user and certificate is created and the public cert is available for use in Barbican | ||
+ | ## Config changes to support configuration specific to DogTag Plugin | ||
# Crypto Plugin interface | # Crypto Plugin interface | ||
## modify create() method to return the encrypted datum (vs the current raw data). It should have the same return contract as the encrypt() method (i.e. the secret generation and the secret encryption operations will be combined). | ## modify create() method to return the encrypted datum (vs the current raw data). It should have the same return contract as the encrypt() method (i.e. the secret generation and the secret encryption operations will be combined). | ||
## new method() to return a transport key | ## new method() to return a transport key | ||
+ | # Dev Plugin | ||
+ | ## Modify to support different contract behavior on create() | ||
+ | # DogTag Crypto Plugin | ||
+ | ## abstraction layer for the DogTag Python library | ||
== References == | == References == | ||
Line 37: | Line 47: | ||
[1] [https://blueprints.launchpad.net/barbican/+spec/dogtag-plugin Blueprint] | [1] [https://blueprints.launchpad.net/barbican/+spec/dogtag-plugin Blueprint] | ||
− | [2] [https://github.com/stackforge/barbican Barbican Github] | + | [2] [https://github.com/stackforge/barbican Barbican on Github] |
+ | |||
+ | [3] [https://github.com/stackforge/python-barbicanclient Python Barbican Client on Github] | ||
+ | |||
+ | [4] [http://pki.fedoraproject.org/wiki/PKI_Main_Page RedHat DogTag] | ||
+ | |||
+ | [5] [http://pki.fedoraproject.org/wiki/REST DogTag REST] | ||
− | [ | + | [6] [http://pki.fedoraproject.org/wiki/Using-the-Python-Key-Client Using the Python Key Client] |
Latest revision as of 21:02, 31 March 2014
- Launchpad Entry: https://blueprints.launchpad.net/barbican/+spec/dogtag-plugin
- Created: 16-Jan-2014
- Updated: 31-Mar-2014
- Contributors: John Wood, Chad Lung, Doug Mendizabal, Lisa Clark, Sheena Gregson, Ade Lee, Endi Dewata
Abstract
This blueprint is for creating a Barbican crypto plugin so that Barbican deployments can use the RedHat DogTag Data Recovery Manager (DRM) as a key management back-end.
Description
To support a RedHat DRM as a key management back-end, changes will be needed relative to 2 main workflows:
Creating a secret
- NOTE: Between Barbican and DRM will be the DogTag plugin to integrate with DRM.
Retrieving a secret
Proposed Changes
- python-barbicanclient
- Modify to support retrieving a transport key for encryption and decryption between Barbican client and Barbican
- Generate a session key for the lifespan of the transaction to encrypt data sent and decrypt data received
- Allow clients to optionally provide a passphrase, else self generate.
- Decrypt the retrieved secret using the session encrypted passphrase.
- Barbican
- API
- New resource to retrieve a transport key and to use the crypto plugin to retrieve a transport key
- Initial setup: During installation of a DogTag DRM, a user and certificate is created and the public cert is available for use in Barbican
- Config changes to support configuration specific to DogTag Plugin
- Crypto Plugin interface
- modify create() method to return the encrypted datum (vs the current raw data). It should have the same return contract as the encrypt() method (i.e. the secret generation and the secret encryption operations will be combined).
- new method() to return a transport key
- Dev Plugin
- Modify to support different contract behavior on create()
- DogTag Crypto Plugin
- abstraction layer for the DogTag Python library
References
[1] Blueprint
[3] Python Barbican Client on Github
[4] RedHat DogTag
[5] DogTag REST