25.5. Storing a Service Secret in a Vault

This section shows how an administrator can use vaults to securely store a service secret in a centralized location. The service secret is encrypted with the service public key. The service then retrieves the secret using its private key on any machine in the domain. Only the service and the administrator are allowed to access the secret.
This section includes these procedures:
In the procedures:
  • admin is the administrator who manages the service password
  • http_password is the name of the private user vault created by the administrator
  • password.txt is the file containing the service password
  • password_vault is the vault created for the service
  • HTTP/server.example.com is the service whose password is being archived
  • service-public.pem is the service public key used to encrypt the password stored in password_vault

25.5.1. Creating a User Vault to Store a Service Password

Create an administrator-owned user vault, and use it to store the service password. The vault type is standard, which ensures the administrator is not required to authenticate when accessing the contents of the vault.
  1. Log in as the administrator:
    $ kinit admin
  2. Create a standard user vault:
    $ ipa vault-add http_password --type standard
    ---------------------------
    Added vault "http_password"
    ---------------------------
      Vault name: http_password
      Type: standard
      Owner users: admin
      Vault user: admin
  3. Archive the service password into the vault:
    $ ipa vault-archive http_password --in password.txt
    ----------------------------------------
    Archived data into vault "http_password"
    ----------------------------------------

    Warning

    After archiving the password into the vault, delete password.txt from your system.

25.5.2. Provisioning a Service Password from a User Vault to Service Instances

Using an asymmetric vault created for the service, provision the service password to a service instance.
  1. Log in as the administrator:
    $ kinit admin
  2. Obtain the public key of the service instance. For example, using the openssl utility:
    1. Generate the service-private.pem private key.
      $ openssl genrsa -out service-private.pem 2048
      Generating RSA private key, 2048 bit long modulus
      .+++
      ...........................................+++
      e is 65537 (0x10001)
    2. Generate the service-public.pem public key based on the private key.
      $ openssl rsa -in service-private.pem -out service-public.pem -pubout
      writing RSA key
  3. Create an asymmetric vault as the service instance vault, and provide the public key:
    $ ipa vault-add password_vault --service HTTP/server.example.com --type asymmetric --public-key-file service-public.pem
    ----------------------------
    Added vault "password_vault"
    ----------------------------
    Vault name: password_vault
    Type: asymmetric
    Public key: LS0tLS1C...S0tLS0tCg==
    Owner users: admin
    Vault service: HTTP/server.example.com@EXAMPLE.COM
    The password archived into the vault will be protected with the key.
  4. Retrieve the service password from the administrator's private vault, and then archive it into the new service vault:
    $ ipa vault-retrieve http_password --out password.txt
    -----------------------------------------
    Retrieved data from vault "http_password"
    -----------------------------------------
    $ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
    -----------------------------------
    Archived data into vault "password_vault"
    -----------------------------------
    This encrypts the password with the service instance public key.

    Warning

    After archiving the password into the vault, delete password.txt from your system.
Repeat these steps for every service instance that requires the password. Create a new asymmetric vault for each service instance.

25.5.3. Retrieving a Service Password for a Service Instance

A service instance can retrieve the service vault password using the locally-stored service private key.
  1. Log in as the administrator:
    $ kinit admin
  2. Obtain a Kerberos ticket for the service:
    # kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytab
  3. Retrieve the service vault password:
    $ ipa vault-retrieve password_vault --service HTTP/server.example.com --private-key-file service-private.pem --out password.txt
    ------------------------------------
    Retrieved data from vault "password_vault"
    ------------------------------------
    

25.5.4. Changing Service Vault Password

If a service instance is compromised, isolate it by changing the service vault password and then re-provisioning the new password to non-compromised service instances only.
  1. Archive the new password in the administrator's user vault:
    $ ipa vault-archive http_password --in new_password.txt
    ----------------------------------------
    Archived data into vault "http_password"
    ----------------------------------------
    This overwrites the current password stored in the vault.
  2. Re-provision the new password to each service instance excluding the compromised instance.
    1. Retrieve the new password from the administrator's vault:
      $ ipa vault-retrieve http_password --out password.txt
      -----------------------------------------
      Retrieved data from vault "http_password"
      -----------------------------------------
    2. Archive the new password into the service instance vault:
      $ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
      -----------------------------------
      Archived data into vault "password_vault"
      -----------------------------------

      Warning

      After archiving the password into the vault, delete password.txt from your system.