Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

25.5. Storing a Service Secret in a Vault

This section shows how an administrator can use vaults to securely store a service secret in a centralized location. The service secret is encrypted with the service public key. The service then retrieves the secret using its private key on any machine in the domain. Only the service and the administrator are allowed to access the secret.
This section includes these procedures:
In the procedures:
  • admin is the administrator who manages the service password
  • http_password is the name of the private user vault created by the administrator
  • password.txt is the file containing the service password
  • password_vault is the vault created for the service
  • HTTP/server.example.com is the service whose password is being archived
  • service-public.pem is the service public key used to encrypt the password stored in password_vault

25.5.1. Creating a User Vault to Store a Service Password
Copia collegamento

Create an administrator-owned user vault, and use it to store the service password. The vault type is standard, which ensures the administrator is not required to authenticate when accessing the contents of the vault.
  1. Log in as the administrator: 
    $ kinit admin
    Copy to Clipboard Toggle word wrap
  2. Create a standard user vault: 
    $ ipa vault-add http_password --type standard
---------------------------
Added vault "http_password"
---------------------------
  Vault name: http_password
  Type: standard
  Owner users: admin
  Vault user: admin
    Copy to Clipboard Toggle word wrap
  3. Archive the service password into the vault: 
    $ ipa vault-archive http_password --in password.txt
----------------------------------------
Archived data into vault "http_password"
----------------------------------------
    Copy to Clipboard Toggle word wrap
    Warning
    After archiving the password into the vault, delete password.txt from your system.

25.5.2. Provisioning a Service Password from a User Vault to Service Instances
Copia collegamento

Using an asymmetric vault created for the service, provision the service password to a service instance.
  1. Log in as the administrator: 
    $ kinit admin
    Copy to Clipboard Toggle word wrap
  2. Obtain the public key of the service instance. For example, using the openssl utility:
    1. Generate the service-private.pem private key. 
      $ openssl genrsa -out service-private.pem 2048
Generating RSA private key, 2048 bit long modulus
.+++
...........................................+++
e is 65537 (0x10001)
      Copy to Clipboard Toggle word wrap
    2. Generate the service-public.pem public key based on the private key. 
      $ openssl rsa -in service-private.pem -out service-public.pem -pubout
writing RSA key
      Copy to Clipboard Toggle word wrap
  3. Create an asymmetric vault as the service instance vault, and provide the public key: 
    $ ipa vault-add password_vault --service HTTP/server.example.com --type asymmetric --public-key-file service-public.pem
----------------------------
Added vault "password_vault"
----------------------------
Vault name: password_vault
Type: asymmetric
Public key: LS0tLS1C...S0tLS0tCg==
Owner users: admin
Vault service: HTTP/server.example.com@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap
    The password archived into the vault will be protected with the key.
  4. Retrieve the service password from the administrator's private vault, and then archive it into the new service vault: 
    $ ipa vault-retrieve http_password --out password.txt
-----------------------------------------
Retrieved data from vault "http_password"
-----------------------------------------
    Copy to Clipboard Toggle word wrap 
    $ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
-----------------------------------
Archived data into vault "password_vault"
-----------------------------------
    Copy to Clipboard Toggle word wrap
    This encrypts the password with the service instance public key.
    Warning
    After archiving the password into the vault, delete password.txt from your system.
Repeat these steps for every service instance that requires the password. Create a new asymmetric vault for each service instance.

25.5.3. Retrieving a Service Password for a Service Instance
Copia collegamento

A service instance can retrieve the service vault password using the locally-stored service private key.
  1. Log in as the administrator: 
    $ kinit admin
    Copy to Clipboard Toggle word wrap
  2. Obtain a Kerberos ticket for the service: 
    # kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytab
    Copy to Clipboard Toggle word wrap
  3. Retrieve the service vault password: 
    $ ipa vault-retrieve password_vault --service HTTP/server.example.com --private-key-file service-private.pem --out password.txt
------------------------------------
Retrieved data from vault "password_vault"
------------------------------------
    Copy to Clipboard Toggle word wrap

25.5.4. Changing Service Vault Password
Copia collegamento

If a service instance is compromised, isolate it by changing the service vault password and then re-provisioning the new password to non-compromised service instances only.
  1. Archive the new password in the administrator's user vault: 
    $ ipa vault-archive http_password --in new_password.txt
----------------------------------------
Archived data into vault "http_password"
----------------------------------------
    Copy to Clipboard Toggle word wrap
    This overwrites the current password stored in the vault.
  2. Re-provision the new password to each service instance excluding the compromised instance.
    1. Retrieve the new password from the administrator's vault: 
      $ ipa vault-retrieve http_password --out password.txt
-----------------------------------------
Retrieved data from vault "http_password"
-----------------------------------------
      Copy to Clipboard Toggle word wrap
    2. Archive the new password into the service instance vault: 
      $ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
-----------------------------------
Archived data into vault "password_vault"
-----------------------------------
      Copy to Clipboard Toggle word wrap
      Warning
      After archiving the password into the vault, delete password.txt from your system.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat