Chapter 4. Managing IdM service secrets: storing and retrieving secrets
This section shows how an administrator can use the ansible-freeipa vault module to securely store a service secret in a centralized location. The vault used in the example is asymmetric, which means that to use it, the administrator needs to perform the following steps:
-
Generate a private key using, for example, the
opensslutility. - Generate a public key based on the private key.
The service secret is encrypted with the public key when an administrator archives it into the vault. Afterwards, a service instance hosted on a specific machine in the domain retrieves the secret using the private key. Only the service and the administrator are allowed to access the secret.
If the secret is compromised, the administrator can replace it in the service vault and then redistribute it to those individual service instances that have not been compromised.
Prerequisites
- The Key Recovery Authority (KRA) Certificate System component has been installed on one or more of the servers in your IdM domain. For details, see Installing the Key Recovery Authority in IdM.
This section includes these procedure
Terminology used
In the procedures:
- admin is the administrator who manages the service password.
- private-key-to-an-externally-signed-certificate.pem is the file containing the service secret, in this case a private key to an externally signed certificate. Do not confuse this private key with the private key used to retrieve the secret from the vault.
- secret_vault is the vault created for the service.
- HTTP/webserver.idm.example.com is the service whose secret is being archived.
- service-public.pem is the service public key used to encrypt the password stored in password_vault.
- service-private.pem is the service private key used to decrypt the password stored in secret_vault.
4.1. Storing an IdM service secret in an asymmetric vault
Follow this procedure to create an asymmetric vault and use it to archive a service secret.
Prerequisites
- You know the IdM administrator password.
Procedure
Log in as the administrator:
$ kinit adminObtain the public key of the service instance. For example, using the
opensslutility:Generate the
service-private.pemprivate key.$ openssl genrsa -out service-private.pem 2048 Generating RSA private key, 2048 bit long modulus .+++ ...........................................+++ e is 65537 (0x10001)Generate the
service-public.pempublic key based on the private key.$ openssl rsa -in service-private.pem -out service-public.pem -pubout writing RSA key
Create an asymmetric vault as the service instance vault, and provide the public key:
$ ipa vault-add secret_vault --service HTTP/webserver.idm.example.com --type asymmetric --public-key-file service-public.pem ---------------------------- Added vault "secret_vault" ---------------------------- Vault name: secret_vault Type: asymmetric Public key: LS0tLS1C...S0tLS0tCg== Owner users: admin Vault service: HTTP/webserver.idm.example.com@IDM.EXAMPLE.COMThe password archived into the vault will be protected with the key.
Archive the service secret into the service vault:
$ ipa vault-archive secret_vault --service HTTP/webserver.idm.example.com --in private-key-to-an-externally-signed-certificate.pem ----------------------------------- Archived data into vault "secret_vault" -----------------------------------This encrypts the secret with the service instance public key.
Repeat these steps for every service instance that requires the secret. Create a new asymmetric vault for each service instance.
4.2. Retrieving a service secret for an IdM service instance
Follow this procedure to use a service instance to retrieve the service vault secret using a locally-stored service private key.
Prerequisites
- You have access to the keytab of the service principal owning the service vault, for example HTTP/webserver.idm.example.com.
- You have created an asymmetric vault and archived a secret in the vault.
- You have access to the private key used to retrieve the service vault secret.
Procedure
Log in as the administrator:
$ kinit adminObtain a Kerberos ticket for the service:
# kinit HTTP/webserver.idm.example.com -k -t /etc/httpd/conf/ipa.keytabRetrieve the service vault password:
$ ipa vault-retrieve secret_vault --service HTTP/webserver.idm.example.com --private-key-file service-private.pem --out secret.txt ------------------------------------ Retrieved data from vault "secret_vault" ------------------------------------
4.3. Changing an IdM service vault secret when compromised
Follow this procedure to isolate a compromised service instance by changing the service vault secret.
Prerequisites
- You know the IdM administrator password.
- You have created an asymmetric vault to store the service secret.
- You have generated the new secret and have access to it, for example in the new-private-key-to-an-externally-signed-certificate.pem file.
Procedure
Archive the new secret into the service instance vault:
$ ipa vault-archive secret_vault --service HTTP/webserver.idm.example.com --in new-private-key-to-an-externally-signed-certificate.pem ----------------------------------- Archived data into vault "secret_vault" -----------------------------------This overwrites the current secret stored in the vault.
- Retrieve the new secret on non-compromised service instances only. For details, see Retrieving a service secret for an IdM service instance.
