Ask Your Question
2

How to enable dogtag and symantec plugin in Barbican

asked 2015-05-21 20:10:38 -0500

ganeshna gravatar image

updated 2015-05-27 01:57:37 -0500

uts9 gravatar image

Hi,

I am running devstack on Ubuntu as a virtual machine. Please let me know how do I enable dogtag and symantec plugins for certificates. Should I enable them in local.conf of devstack ? I see the below check for BARBICAN_USE_DOGTAG, but not sure what option I should enable for this.

Also to use dogtag CA, should I be running devstack on Fedora instead of Ubuntu for local development ?

devstack/extras.d/70-barbican.sh:

elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
        echo_summary "Configuring Barbican"
        configure_barbican
        if [[ -n $BARBICAN_USE_DOGTAG ]]; then  <<<
            configure_dogtag_plugin
        Fi

CA Plugins installed - don't see dogtag or symantec here:

curl  -H 'content-type:application/json' -H "X-Auth-Token:ea0454c4e1b9404c8405c20f4a54c390" http://localhost:9311/v1/cas/
{"cas": ["http://localhost:9311/v1/cas/c1ca4ea6-0b93-47aa-90ed-a52352e67468"], "total": 1}

curl  -H 'content-type:application/json' -H "X-Auth-Token:ea0454c4e1b9404c8405c20f4a54c390" http://localhost:9311/v1/cas/c1ca4ea6-0b93-47aa-90ed-a52352e67468
{"status": "ACTIVE", "updated": "2015-05-21T16:27:04", "created": "2015-05-21T16:27:04", "plugin_name": "barbican.plugin.simple_certificate_manager.SimpleCertificatePlugin", "meta": [{"ca_signing_cert": "XXXXXXXXXXXXXXXXX"}, {"intermediates": "YYYYYYYYYYYYYYYY"}, {"name": "Simple CA"}, {"description": "Certificate Authority - Simple CA"}], "ca_id": "c1ca4ea6-0b93-47aa-90ed-a52352e67468", "plugin_ca_id": "Simple CA", "expiration": "2015-05-22T16:27:04”}

Certificate creation request - with the default CA, if I try to generate certificate, it stays in the Pending state:

test@ubuntu:~/devstack$ 
test@ubuntu:~/devstack$ curl -X POST -H 'content-type:application/json' -H "X-Auth-Token:6df4ccb04575456cbd284eee99afa9eb" -d'{"type":"certificate","meta":{"profile_id":"caServCert","cert_request_type":"pkcs10","cert_request":"MII"}}' http://localhost:9311/v1/orders/
{"order_ref": "http://localhost:9311/v1/orders/6ec10fb0-c4b4-418f-8d56-af48a85c1e7f”}


test@ubuntu:~/devstack$ 
test@ubuntu:~/devstack$ curl -H "X-Auth-Token:488903bb6dbf4cd3a10f2eb10a7e54e0" http://localhost:9311/v1/orders/6ec10fb0-c4b4-418f-8d56-af48a85c1e7f
{"status": "PENDING", "sub_status": "cert_request_pending", "updated": "2015-05-21T16:44:28", "created": "2015-05-21T16:44:28", "order_ref": "http://localhost:9311/v1/orders/6ec10fb0-c4b4-418f-8d56-af48a85c1e7f", "creator_id": "992f4bb2499a473d9e40dc44dc9633ed", "meta": {"profile_id": "caServCert", "cert_request": "MII", "cert_request_type": "pkcs10"}, "sub_status_message": "Request has been submitted to the CA.  Waiting for certificate to be generated", "type": "certificate"}test@ubuntu:~/devstack$
edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
1

answered 2015-05-27 01:01:25 -0500

ganeshna gravatar image

This is how I solved the issue. Might be useful for someone else.

Refer: https://docs.google.com/presentation/d/1peAZAAFhPvJt6n_j9kLsZMR6tyxoikZn9NJjkOzeyp0/edit#slide=id.g7770b592a_2_278 (https://docs.google.com/presentation/...)

  • move my devstack to Federa VM
  • select DogTag Certification when you configure the Fedora VM
  • follow the links here and run the below commands - http://pki.fedoraproject.org/wiki/Quick_Start (http://pki.fedoraproject.org/wiki/Qui...)

yum install 389-ds-base

<modify ca.cfg="" to="" use="" a="" different="" http="" port="" as="" the="" default="" one="" will="" conflict="" with="" openstack="" &gt;<="" p="">

[root@fedora3 ~]# cat ca.cfg

[CA]
pki_admin_email=caadmin@cisco.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=cisco,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=CISCO
pki_token_password=Secret123
pki_https_port=8263
pkispawn -v -f ca.cfg -s CA

Try out few things manually based on your dogtag version: http://pki.fedoraproject.org/wiki/User_Certificate (http://pki.fedoraproject.org/wiki/Use...)

Sample python Code to test:

import pki.cert
import pki.client
import pki.profile


scheme = 'https'
host = 'localhost'
port = '8263'
subsystem = 'ca'
conn = pki.client.PKIConnection(scheme, host, port, subsystem)
conn.set_authentication_cert("/root.hai.pem")

cert_client = pki.cert.CertClient(conn)

 # Enrolling a server certificate
print("Enrolling a server certificate")
print('------------------------------')

inputs = dict()
inputs['cert_request_type'] = 'pkcs10'
inputs['cert_request'] = "MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCVVMxCzAJBgNVBAg" \
                             "MAk5DMRAwDgYDVQQHDAdSYWxlaWdoMRUwEwYDVQQKDAxSZW" \
                             "QgSGF0IEluYy4xEzARBgNVBAMMClRlc3RTZXJ2ZXIwgZ8wD" \
                             "QYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJpWz92dSYCvWxl" \
                             "lrQCY5atPKCswUwyppRNGPnKmJ77AdHBBI4dFyET+h/+69j" \
                             "QMTLZMa8FX7SbyHvgbgLBP4Q/RzCSE2S87qFNjriOqiQCqJ" \
                             "mcrzDzdncJQiP+O7T6MSpLo3smLP7dK1Vd7vK0Vy8yHwV0e" \
                             "Bx7DgYedv2slBPHAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB" \
                             "gQBvkxAGKwkfK3TKwLc5Mg0IWp8zGRVwxdIlghAL8DugNoc" \
                             "CNNgmZazglJOOehLuk0/NkLX1ZM5RrVgM09W6kcfWZtIwr5" \
                             "Uje2K/+6tW2ZTGrbizs7CNOTMzA/9H8CkHb4H9P/qRT275z" \
                             "HIocYj4smUnXLwWGsBMeGs+OMMbGvSrHg=="

inputs['requestor_name'] = 'Tester'
inputs['requestor_email'] = 'example@redhat.com'

cert_id = None
enrollment_results_2 = cert_client.enroll_cert('caServerCert', inputs)
for enrollment_result in enrollment_results_2:
    request_data = enrollment_result.request
    cert_data = enrollment_result.cert
    print('Request ID: ' + request_data.request_id)
    print('Request Status:' + request_data.request_status)
    print
    -

Run pki cert-find to check if the certificate has been generated successfully.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-05-21 20:10:38 -0500

Seen: 354 times

Last updated: May 27 '15