Show Table of Contents
25.5. Storing a Service Secret in a Vault
This section shows how an administrator can use vaults to securely store a service secret in a centralized location. The service secret is encrypted with the service public key. The service then retrieves the secret using its private key on any machine in the domain. Only the service and the administrator are allowed to access the secret.
This section includes these procedures:
In the procedures:
adminis the administrator who manages the service passwordhttp_passwordis the name of the private user vault created by the administratorpassword.txtis the file containing the service passwordpassword_vaultis the vault created for the serviceHTTP/server.example.comis the service whose password is being archivedservice-public.pemis the service public key used to encrypt the password stored inpassword_vault
25.5.1. Creating a User Vault to Store a Service Password
Create an administrator-owned user vault, and use it to store the service password. The vault type is standard, which ensures the administrator is not required to authenticate when accessing the contents of the vault.
- Log in as the administrator:
$ kinit admin
- Create a standard user vault:
$ ipa vault-add http_password --type standard --------------------------- Added vault "http_password" --------------------------- Vault name: http_password Type: standard Owner users: admin Vault user: admin
- Archive the service password into the vault:
$ ipa vault-archive http_password --in password.txt ---------------------------------------- Archived data into vault "http_password" ----------------------------------------
Warning
After archiving the password into the vault, deletepassword.txtfrom your system.
25.5.2. Provisioning a Service Password from a User Vault to Service Instances
Using an asymmetric vault created for the service, provision the service password to a service instance.
- Log in as the administrator:
$ kinit admin
- Obtain the public key of the service instance. For example, using the
opensslutility:- Generate the
service-private.pemprivate key.$ openssl genrsa -out service-private.pem 2048 Generating RSA private key, 2048 bit long modulus .+++ ...........................................+++ e is 65537 (0x10001)
- Generate the
service-public.pempublic key based on the private key.$ openssl rsa -in service-private.pem -out service-public.pem -pubout writing RSA key
- Create an asymmetric vault as the service instance vault, and provide the public key:
$ ipa vault-add password_vault --service HTTP/server.example.com --type asymmetric --public-key-file service-public.pem ---------------------------- Added vault "password_vault" ---------------------------- Vault name: password_vault Type: asymmetric Public key: LS0tLS1C...S0tLS0tCg== Owner users: admin Vault service: HTTP/server.example.com@EXAMPLE.COM
The password archived into the vault will be protected with the key. - Retrieve the service password from the administrator's private vault, and then archive it into the new service vault:
$ ipa vault-retrieve http_password --out password.txt ----------------------------------------- Retrieved data from vault "http_password" -----------------------------------------$ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt ----------------------------------- Archived data into vault "password_vault" -----------------------------------This encrypts the password with the service instance public key.Warning
After archiving the password into the vault, deletepassword.txtfrom your system.
Repeat these steps for every service instance that requires the password. Create a new asymmetric vault for each service instance.
25.5.3. Retrieving a Service Password for a Service Instance
A service instance can retrieve the service vault password using the locally-stored service private key.
- Log in as the administrator:
$ kinit admin
- Obtain a Kerberos ticket for the service:
# kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytab
- Retrieve the service vault password:
$ ipa vault-retrieve password_vault --service HTTP/server.example.com --private-key-file service-private.pem --out password.txt ------------------------------------ Retrieved data from vault "password_vault" ------------------------------------
25.5.4. Changing Service Vault Password
If a service instance is compromised, isolate it by changing the service vault password and then re-provisioning the new password to non-compromised service instances only.
- Archive the new password in the administrator's user vault:
$ ipa vault-archive http_password --in new_password.txt ---------------------------------------- Archived data into vault "http_password" ----------------------------------------
This overwrites the current password stored in the vault. - Re-provision the new password to each service instance excluding the compromised instance.
- Retrieve the new password from the administrator's vault:
$ ipa vault-retrieve http_password --out password.txt ----------------------------------------- Retrieved data from vault "http_password" -----------------------------------------
- Archive the new password into the service instance vault:
$ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt ----------------------------------- Archived data into vault "password_vault" -----------------------------------
Warning
After archiving the password into the vault, deletepassword.txtfrom your system.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.