...
$enable_pki = trueDoes this turn PKI on/off, turn PKI management on/off, turn the SIMP-specific PKI system on/off (see: The New Layout for all SIMP Modules)?
$use_simp_pki= trueOkay, this looks like it explicitly means "Use SIMP's PKI system (e.g., FakeCA, keydist/, pki::copy)"
$cert_source= '/absolute/path/to/dir'- simp-apache & simp-rsyslog: Defines what directory look for certs in a
Suggested Alternative Name:
$pki_cert_dir = '/same/as/cert_source/w/a/better/name'
Individual cert files (names differ between examples, but basically):
$pki_cert_file = "${::modulename::cert_source}/public/${::fqdn}.pub"$pki_key_file = "${::modulename::cert_source}/private/${::fqdn}.pem"$pki_ca_file = "${::modulename::cert_source}/cacerts/cacerts.pem"NOTE: The fact
$::fqdnis used instead of$::trusted['certname']because masterless environments such as "puppet apply"must be honored.
- Various tweaks (probably vary from:
$enable_ssl = true # Turn SSL on or off$validate_ssl = true # vsftpd setting- $validation_depth = 2 # example of app-specific setting; apache uses this for SSL
- There are variations and permutation of these parameters across all modules; and we should standardize them
Responsibilites
- MANAGE: How should we tell a SIMP module to manage PKI (at all)?
- The opposite of "manage" is "leave it alone."
- Examples of management:
- where to look for certs, cacerts
- ensure that PKI/SSL is on or off
- ensure that PKI/SSL is validated
- These may all be controlled by subsequent parameters
- Examples of something other than management:
- Distributing certificates on the filesystem
- This is EXTRA because it needs additional information and can change
- Distributing certificates on the filesystem
- current param:
$enable_pki (bool) - suggested param:
$manage_pki (bool or see below)- QUESTION what should the type be?
- QUESTION what should the type be?
ASSETS: What resources does the module need to know about to integrate PKI?
PKI assets = key, cert, cacert
file-based: x509+RSA files
simp-pki module's
pki::copyfrom FakeCAsimp-beaker-helpers gem's
pki_copy_tofunction.IMPORTANT: Independent file delivery mechanism
The files get there, but in a way SIMP (and possibly Puppet) doesn't manage
probably no need to do anything
QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?
- file-based: java keystore / truststore
- moonshots (probably not feasible):
PKI stored in LDAP
PKI stored in TPM
DISTRO: What PKI asset distribution methods should SIMP manage?
SIMP has the pki::copy function, which copies the host's cert+key+cacert into a local directory
the structure:
HOST_PKI_DIR/cacerts/cacerts.pempublic/fdqn.pubprivate/fdqn.pem
- This supports individual PKI distribution per-application
- accommodates SELinux
- some applications (particularly in multi-homed environments) some use separate PKI certs/CAs
- current param:
$use_simp_pki (bool) suggested param:
$use_simp_pki or $manage_pki(if "Stroolean")
...
- What PKI-related parameters should we standardize on?
- One solution:
$manage_pki = true #$use_simp_keydist= true # uses pki::copy$pki_cert_dir= '/absolute/path/to/dir' #If individual:
$pki_cert_file = "${::modulename::pki_cert_dir}/public/${::fqdn}.pub"$pki_key_file = "${::modulename::pki_cert_dir}/private/${::fqdn}.pem"$pki_ca_file = "${::modulename::pki_cert_dir}/cacerts/cacerts.pem"NOTE: The fact
$::fqdnis used instead of$::trusted['certname']because masterless environments such as "puppet apply"must be honored.
$enable_ssl = true # Turn SSL on or off$validate_ssl = true # vsftpd setting$validation_depth = 2# example of app-specific setting; apache uses this for SSL
- One solution:
- How do we tell a SIMP module to use a given distribution method?
- Some modules use a boolean parameter,
$use_simp_pki, to turn onpki::copy - Any alternative delivery mechanism is currently not managed by SIMP
- Additional question: will (should) we manage distribution methods other than SIMP?
- Some modules use a boolean parameter,
...