이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Rotate the Fernet keys

It is recommended that you rotate your Fernet keys regularly, as a compromised keystone key can allow an attacker to generate their own tokens and subsequently grant themselves access to a project. During the key rotation process, the primary key is relegated to secondary key status, and a new primary key is issued, thereby reducing the value of a compromised primary key. Secondary keys can only be used to decrypt tokens that were created with previous primary keys, and cannot issue new ones.

For more information on Fernet keys, see https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/14/html-single/security_and_hardening_guide/index#fernet_tokens.

Fernet uses three types of keys, which are stored in /etc/keystone/fernet-keys. The highest-numbered file contains the primary key, which is used to generate new tokens and decrypt existing fernet tokens.

0 - Contains the staged key, and will always be numbered 0. This key will be promoted to a primary key during the next rotation.
1 and 2 - Contain the secondary keys.
3 - Contains the primary key. This number will increment each time the keys are rotated, with the highest number always serving as the primary key.

2.1. Set the maximum number of fernet tokens
링크 복사

The maximum number of active keys can be determined with the following calculation: fernet-keys = token-validity(hours) / rotation-time(hours) + 2. For example, to enable 24 hours token-validity, rotation every 12 hours will resemble: 24/12 + 2 = 4.

You can configure director to manage the overcloud’s Fernet keys by adding a fernet_max_active_keys setting to the controllerExtraConfig section of your environment file:

To set the maximum active keys for Fernet, add the following to your environment file:

parameter_defaults:
(...)
  controllerExtraConfig:
    keystone::fernet_max_active_keys: 4

parameter_defaults:
(...)
  controllerExtraConfig:
    keystone::fernet_max_active_keys: 4

Copy to Clipboard

Toggle word wrap

Note

This approach has been replaced by a Mistral workflow in Red Hat OpenStack Platform 12 and higher.

2.2. Rotate the keys
링크 복사

This procedure creates a script that will rotate the Fernet tokens in your deployment, then copy them to your other controller nodes.

Review the existing Fernet keys:
```
sudo ls /etc/keystone/fernet-keys
```
```
[heat-admin@overcloud-controller-0 ~]$ sudo ls /etc/keystone/fernet-keys
0  1  2
```
Copy to Clipboard Toggle word wrap
- 0 - Contains the staged key, (which becomes the next primary key) and will always be numbered 0.
- 1 - Contains the secondary key.
- 2 - Contains the primary key. This number will increment each time the keys are rotated, with the highest number always serving as the primary key.
  Note
  The maximum number of keys is determined by the fernet_max_active_keys property, using 4 by default.
  The keys are propagated across all controllers.

Create a script on the undercloud node:

sudo vi /usr/local/bin/rotate-fernet-tokens.sh

$ sudo vi /usr/local/bin/rotate-fernet-tokens.sh

Copy to Clipboard

Toggle word wrap

Add the following contents to the script:

rotate fernet tokens on controller-0, tar them up and copy them to the local node
copy fernet tokens and display rotated keys on controller-1
copy fernet tokens and display rotated keys on controller-2
reload httpd

#!/bin/bash

source /home/stack/stackrc

controller_name="overcloud-controller-"

tmp_dir=/tmp/fernet_keys

controller0_ip=`openstack server show controller-0 -f value -c addresses|sed s/ctlplane=//g`
controller1_ip=`openstack server show controller-1 -f value -c addresses|sed s/ctlplane=//g`
controller2_ip=`openstack server show controller-2 -f value -c addresses|sed s/ctlplane=//g`

SSH="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
SCP="scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

mkdir -p $tmp_dir
cd $tmp_dir

# rotate fernet tokens on controller-0, tar them up and copy them to the local node
$SSH heat-admin@${controller0_ip} "sudo keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone"
$SSH heat-admin@${controller0_ip} "sudo rm -f /tmp/fernet-keys.tar ; sudo find /etc/keystone/fernet-keys -maxdepth 1 -type f -execdir sudo tar -rf /tmp/fernet-keys.tar {} \; ; sudo chown heat-admin. /tmp/fernet-keys.tar && sudo tar -tf /tmp/fernet-keys.tar"
$SCP heat-admin@${controller0_ip}:/tmp/fernet-keys.tar .


# copy fernet tokens and display rotated keys on controller-1
$SCP fernet-keys.tar heat-admin@${controller1_ip}:
$SSH heat-admin@${controller1_ip} "sudo find /etc/keystone/fernet-keys -maxdepth 1 -type f | sudo xargs -I {} rm -f {} ; sudo tar -xf /home/heat-admin/fernet-keys.tar -C /etc/keystone/fernet-keys ; sudo chown keystone. /etc/keystone/fernet-keys -R ; sudo ls -al /etc/keystone/fernet-keys"


# copy fernet tokens and display rotated keys on controller-2
$SCP fernet-keys.tar heat-admin@${controller2_ip}:
$SSH heat-admin@${controller2_ip} "sudo find /etc/keystone/fernet-keys -maxdepth 1 -type f | sudo xargs -I {} rm -f {} ; sudo tar -xf /home/heat-admin/fernet-keys.tar -C /etc/keystone/fernet-keys ; sudo chown keystone. /etc/keystone/fernet-keys -R ; sudo ls -al /etc/keystone/fernet-keys"


# reload httpd
$SSH heat-admin@${controller0_ip} sudo systemctl reload httpd
$SSH heat-admin@${controller1_ip} sudo systemctl reload httpd
$SSH heat-admin@${controller2_ip} sudo systemctl reload httpd

Copy to Clipboard

Toggle word wrap

Note

This script will restart the http service on your controllers. This will result in an outage to the horizon and keystone services while the service restarts.

Note

This script assumes you have three controller nodes. You will need to update this script if your deployment uses a different number of controllers.

Make the script executable:

sudo chmod +x /usr/local/bin/rotate-fernet-tokens.sh

[stack@director ~]$ sudo chmod +x /usr/local/bin/rotate-fernet-tokens.sh

Copy to Clipboard

Toggle word wrap

Rotate the Fernet keys:

bash /usr/local/bin/rotate-fernet-tokens.sh

$ bash /usr/local/bin/rotate-fernet-tokens.sh

Copy to Clipboard

Toggle word wrap

On a keystone node, review the number of Fernet keys and compare with the previous result:
```
sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys
```
```
[heat-admin@overcloud-controller-0 ~]$ sudo ls /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys
0  1  2  3
```
Copy to Clipboard Toggle word wrap
- 0 - Contains the staged key, and will always be numbered 0. This key will be promoted to a primary key during the next rotation.
- 1 and 2 - Contain the secondary keys.
- 3 - Contains the primary key. This number will increment each time the keys are rotated, with the highest number always serving as the primary key.

Consider configuring a cronjob to regularly execute the script from the undercloud. This example runs the script every 12 hours:

echo "* * * * * stack bash /usr/local/bin/rotate-fernet-tokens.sh" | sudo tee /etc/cron.d/1rotate-fernet-tokens

$ echo "* * * * * stack bash /usr/local/bin/rotate-fernet-tokens.sh" | sudo tee /etc/cron.d/1rotate-fernet-tokens

Copy to Clipboard

Toggle word wrap

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Rotate the Fernet keys

2.1. Set the maximum number of fernet tokens
링크 복사

2.2. Rotate the keys
링크 복사

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Rotate the Fernet keys

2.1. Set the maximum number of fernet tokens링크 복사링크가 클립보드에 복사되었습니다!

2.2. Rotate the keys링크 복사링크가 클립보드에 복사되었습니다!

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.1. Set the maximum number of fernet tokens
링크 복사

2.2. Rotate the keys
링크 복사