25.5. Storing a Service Secret in a Vault
This section shows how an administrator can use vaults to securely store a service secret in a centralized location. The service secret is encrypted with the service public key. The service then retrieves the secret using its private key on any machine in the domain. Only the service and the administrator are allowed to access the secret.
This section includes these procedures:
In the procedures:
admin
is the administrator who manages the service passwordhttp_password
is the name of the private user vault created by the administratorpassword.txt
is the file containing the service passwordpassword_vault
is the vault created for the serviceHTTP/server.example.com
is the service whose password is being archivedservice-public.pem
is the service public key used to encrypt the password stored inpassword_vault
25.5.1. Creating a User Vault to Store a Service Password
Create an administrator-owned user vault, and use it to store the service password. The vault type is standard, which ensures the administrator is not required to authenticate when accessing the contents of the vault.
- Log in as the administrator:
$ kinit admin
- Create a standard user vault:
$ ipa vault-add http_password --type standard --------------------------- Added vault "http_password" --------------------------- Vault name: http_password Type: standard Owner users: admin Vault user: admin
- Archive the service password into the vault:
$ ipa vault-archive http_password --in password.txt ---------------------------------------- Archived data into vault "http_password" ----------------------------------------
WarningAfter archiving the password into the vault, deletepassword.txt
from your system.
25.5.2. Provisioning a Service Password from a User Vault to Service Instances
Using an asymmetric vault created for the service, provision the service password to a service instance.
- Log in as the administrator:
$ kinit admin
- Obtain the public key of the service instance. For example, using the
openssl
utility:- Generate the
service-private.pem
private key.$ openssl genrsa -out service-private.pem 2048 Generating RSA private key, 2048 bit long modulus .+++ ...........................................+++ e is 65537 (0x10001)
- Generate the
service-public.pem
public key based on the private key.$ openssl rsa -in service-private.pem -out service-public.pem -pubout writing RSA key
- Create an asymmetric vault as the service instance vault, and provide the public key:
$ ipa vault-add password_vault --service HTTP/server.example.com --type asymmetric --public-key-file service-public.pem ---------------------------- Added vault "password_vault" ---------------------------- Vault name: password_vault Type: asymmetric Public key: LS0tLS1C...S0tLS0tCg== Owner users: admin Vault service: HTTP/server.example.com@EXAMPLE.COM
The password archived into the vault will be protected with the key. - Retrieve the service password from the administrator's private vault, and then archive it into the new service vault:
$ ipa vault-retrieve http_password --out password.txt ----------------------------------------- Retrieved data from vault "http_password" -----------------------------------------
$ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt ----------------------------------- Archived data into vault "password_vault" -----------------------------------
This encrypts the password with the service instance public key.WarningAfter archiving the password into the vault, deletepassword.txt
from your system.
Repeat these steps for every service instance that requires the password. Create a new asymmetric vault for each service instance.
25.5.3. Retrieving a Service Password for a Service Instance
A service instance can retrieve the service vault password using the locally-stored service private key.
- Log in as the administrator:
$ kinit admin
- Obtain a Kerberos ticket for the service:
# kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytab
- Retrieve the service vault password:
$ ipa vault-retrieve password_vault --service HTTP/server.example.com --private-key-file service-private.pem --out password.txt ------------------------------------ Retrieved data from vault "password_vault" ------------------------------------
25.5.4. Changing Service Vault Password
If a service instance is compromised, isolate it by changing the service vault password and then re-provisioning the new password to non-compromised service instances only.
- Archive the new password in the administrator's user vault:
$ ipa vault-archive http_password --in new_password.txt ---------------------------------------- Archived data into vault "http_password" ----------------------------------------
This overwrites the current password stored in the vault. - Re-provision the new password to each service instance excluding the compromised instance.
- Retrieve the new password from the administrator's vault:
$ ipa vault-retrieve http_password --out password.txt ----------------------------------------- Retrieved data from vault "http_password" -----------------------------------------
- Archive the new password into the service instance vault:
$ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt ----------------------------------- Archived data into vault "password_vault" -----------------------------------
WarningAfter archiving the password into the vault, deletepassword.txt
from your system.