Barbican is a component of OpenStack that stores, provisions, and manages secret data. It acts as the key manager for VMware Integrated OpenStack.

Barbican is enabled and configured with the simple crypto plugin when you install or upgrade to VMware Integrated OpenStack 5.1. After deployment, you can modify the configuration to use Key Management Interoperability Protocol (KMIP).

Note:

With Barbican, tenants must explicitly grant the barbican user access to the certificates, keys, and TLS containers for their projects in your deployment. If you do not want tenants to configure the ACL, you can modify custom-playbook.yml to grant the barbican user access to all objects stored in Barbican. Because tenants may store objects unrelated to LBaaS in Barbican, ensure that you understand and accept the security implications of this action before proceeding.

To grant the barbican user access to all objects stored in Barbican, specify "rule:all_users" as the value of secret:get and container:get in the /etc/barbican/policy.json file.

Procedure

  1. Log in to the OpenStack Management Server.
  2. Configure Barbican to use the KMIP plugin. 
    sudo viocli barbican --secret-store-plugin KMIP --host kmip-server --port kmip-port --ca-certs ca-cert-file [--certfile local-cert-file --keyfile local-key-file --user kmip-user --password kmip-password]

    Depending on the implementation of KMIP in your environment, you may need to include the --certfile and --keyfile parameters only, the --user and --password parameters only, or all four of these parameters.

Results

Barbican uses KMIP instead of simple crypto.

Note: If the payload of a secret is in plaintext, tenants must now include the --secret-type passphrase parameter when creating the secret.

What to do next

Tenants can now configure LBaaS v2.0. For instructions, see Configuring LBaaS v2.0.