Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 4. Managing IdM service secrets: storing and retrieving secrets
This section describes how an administrator can use a service vault in Identity Management (IdM) to securely store a service secret in a centralized location. The vault used in the example is asymmetric, which means that to use it, the administrator needs to perform the following steps:
-
Generate a private key using, for example, the
opensslutility. - Generate a public key based on the private key.
The service secret is encrypted with the public key when an administrator archives it into the vault. Afterwards, a service instance hosted on a specific machine in the domain retrieves the secret using the private key. Only the service and the administrator are allowed to access the secret.
If the secret is compromised, the administrator can replace it in the service vault and then redistribute it to those individual service instances that have not been compromised.
Prerequisites
- The Key Recovery Authority (KRA) Certificate System component has been installed on one or more of the servers in your IdM domain. For details, see Installing the Key Recovery Authority in IdM.
In the procedures below:
- The IdM admin user is the administrator who manages the service password.
- private-key-to-an-externally-signed-certificate.pem is the file containing the service secret, in this case a private key to an externally signed certificate. Do not confuse this private key with the private key used to retrieve the secret from the vault.
- secret_vault is the vault created for the service.
- HTTP/webserver.idm.example.com is the service whose secret is being archived.
- service-public.pem is the service public key used to encrypt the password stored in password_vault.
- service-private.pem is the service private key used to decrypt the password stored in secret_vault.
4.1. Storing an IdM service secret in an asymmetric vault
Follow this procedure to create an asymmetric vault and use it to archive a service secret.
Prerequisites
- You know the IdM administrator password.
Procedure
Log in as the administrator:
kinit admin
$ kinit adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow Obtain the public key of the service instance. For example, using the
opensslutility:Generate the
service-private.pemprivate key.openssl genrsa -out service-private.pem 2048
$ openssl genrsa -out service-private.pem 2048 Generating RSA private key, 2048 bit long modulus .+++ ...........................................+++ e is 65537 (0x10001)Copy to Clipboard Copied! Toggle word wrap Toggle overflow Generate the
service-public.pempublic key based on the private key.openssl rsa -in service-private.pem -out service-public.pem -pubout
$ openssl rsa -in service-private.pem -out service-public.pem -pubout writing RSA keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Create an asymmetric vault as the service instance vault, and provide the public key:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The password archived into the vault will be protected with the key.
Archive the service secret into the service vault:
ipa vault-archive secret_vault --service HTTP/webserver.idm.example.com --in private-key-to-an-externally-signed-certificate.pem
$ ipa vault-archive secret_vault --service HTTP/webserver.idm.example.com --in private-key-to-an-externally-signed-certificate.pem ----------------------------------- Archived data into vault "secret_vault" -----------------------------------Copy to Clipboard Copied! Toggle word wrap Toggle overflow This encrypts the secret with the service instance public key.
Repeat these steps for every service instance that requires the secret. Create a new asymmetric vault for each service instance.
4.2. Retrieving a service secret for an IdM service instance
Follow this procedure to use a service instance to retrieve the service vault secret using a locally-stored service private key.
Prerequisites
- You have access to the keytab of the service principal owning the service vault, for example HTTP/webserver.idm.example.com.
- You have created an asymmetric vault and archived a secret in the vault.
- You have access to the private key used to retrieve the service vault secret.
Procedure
Log in as the administrator:
kinit admin
$ kinit adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow Obtain a Kerberos ticket for the service:
kinit HTTP/webserver.idm.example.com -k -t /etc/httpd/conf/ipa.keytab
# kinit HTTP/webserver.idm.example.com -k -t /etc/httpd/conf/ipa.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the service vault password:
ipa vault-retrieve secret_vault --service HTTP/webserver.idm.example.com --private-key-file service-private.pem --out secret.txt
$ ipa vault-retrieve secret_vault --service HTTP/webserver.idm.example.com --private-key-file service-private.pem --out secret.txt ------------------------------------ Retrieved data from vault "secret_vault" ------------------------------------Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.3. Changing an IdM service vault secret when compromised
Follow this procedure to isolate a compromised service instance by changing the service vault secret.
Prerequisites
- You know the IdM administrator password.
- You have created an asymmetric vault to store the service secret.
- You have generated the new secret and have access to it, for example in the new-private-key-to-an-externally-signed-certificate.pem file.
Procedure
Archive the new secret into the service instance vault:
ipa vault-archive secret_vault --service HTTP/webserver.idm.example.com --in new-private-key-to-an-externally-signed-certificate.pem
$ ipa vault-archive secret_vault --service HTTP/webserver.idm.example.com --in new-private-key-to-an-externally-signed-certificate.pem ----------------------------------- Archived data into vault "secret_vault" -----------------------------------Copy to Clipboard Copied! Toggle word wrap Toggle overflow This overwrites the current secret stored in the vault.
- Retrieve the new secret on non-compromised service instances only. For details, see Retrieving a service secret for an IdM service instance.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}