### Bindep command example Source: https://github.com/openstack/barbican/blob/master/bindep.txt Example of how to use bindep to install dependencies. ```bash sudo [apt-get | yum] install $(bindep -b) ``` -------------------------------- ### Start and enable Apache HTTP service Source: https://github.com/openstack/barbican/blob/master/doc/source/install/install-rdo.rst Start the Apache HTTP service and configure it to start when the system boots. ```console # systemctl enable httpd.service # systemctl start httpd.service ``` -------------------------------- ### Install Dogtag Packages (Fedora/RHEL/Centos) Source: https://github.com/openstack/barbican/blob/master/doc/source/configuration/dogtag_setup.rst Installs the required Dogtag packages on Fedora/RHEL/Centos platforms. ```bash dnf install pki-ca pki-kra 389-ds-base ``` -------------------------------- ### Start DevStack Source: https://github.com/openstack/barbican/blob/master/doc/source/contributor/devstack.rst Initiates the DevStack installation and startup process. ```bash ./stack.sh ``` -------------------------------- ### Retrieve Project Quota Information for All Projects Source: https://github.com/openstack/barbican/blob/master/api-guide/source/quotas.md Shows how to get a list of all project quota data using a GET request on the project-quota resource. ```bash Request: curl -i -X GET -H "X-Auth-Token:$TOKEN" \ -H "Accept:application/json" \ http://localhost:9311/v1/project-quotas Response: HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 {"project_quotas": [{"project_id": "1234", "project_quotas": {"secrets": 500, "orders": 100, "containers": -1, "consumers": 100, "cas": 50}}, {"project_id": "5678", "project_quotas": {"secrets": 500, "orders": 100, "containers": -1, "consumers": 100, "cas": 50}}]} ``` -------------------------------- ### Create Order Source: https://github.com/openstack/barbican/blob/master/api-guide/source/orders.md Example of creating an order to generate a symmetric key. ```bash curl -X POST -H "X-Auth-Token: $TOKEN" -H "content-type:application/json" -d '{ "type":"key", "meta": { "name": "secretname", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "payload_content_type": "application/octet-stream"} }' http://localhost:9311/v1/orders ``` -------------------------------- ### GET /v1/orders Request Example Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/orders.rst Example of a GET request to list a project's orders, including necessary headers. ```javascript GET /v1/orders Headers: Content-Type: application/json X-Auth-Token: {token} ``` -------------------------------- ### Retrieve Container Source: https://github.com/openstack/barbican/blob/master/api-guide/source/containers.md Example of retrieving a container using its reference. ```bash curl -X GET -H "X-Auth-Token: $TOKEN" http://localhost:9311/v1/containers/49d3c5e9-80bb-47ec-8787-968bb500d76e ``` ```json { "status": "ACTIVE", "updated": "2015-03-31T21:21:34.126042", "name": "container name", "consumers": [], "created": "2015-03-31T21:21:34.126042", "container_ref": "http://localhost:9311/v1/containers/49d3c5e9-80bb-47ec-8787-968bb500d76e", "secret_refs": [ { "secret_ref": "http://localhost:9311/v1/secrets/feac9896-49e9-49e0-9484-1a6153c9498b", "name": "a secret" } ], "type": "generic" } ``` -------------------------------- ### GET /v1/orders Response Example Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/orders.rst Example of a successful (200 OK) response when listing orders, showing the structure of the returned order data. ```bash 200 Success { "orders": [ { "created": "2015-10-20T18:38:44", "creator_id": "40540f978fbd45c1af18910e3e02b63f", "meta": { "algorithm": "AES", "bit_length": 256, "expiration": null, "mode": "cbc", "name": "secretname", "payload_content_type": "application/octet-stream" }, "order_ref": "http://localhost:9311/v1/orders/2284ba6f-f964-4de7-b61e-c413df5d1e47", "secret_ref": "http://localhost:9311/v1/secrets/15dcf8e4-3138-4360-be9f-fc4bc2e64a19", "status": "ACTIVE", "sub_status": "Unknown", "sub_status_message": "Unknown", "type": "key", "updated": "2015-10-20T18:38:44" }, { "created": "2015-10-20T18:38:47", "creator_id": "40540f978fbd45c1af18910e3e02b63f", "meta": { "algorithm": "AES", "bit_length": 256, "expiration": null, "mode": "cbc", "name": "secretname", "payload_content_type": "application/octet-stream" }, "order_ref": "http://localhost:9311/v1/orders/87b7169e-3aa2-4cb1-8800-b5aadf6babd1", "secret_ref": "http://localhost:9311/v1/secrets/80183f4b-c0de-4a94-91ad-6d55251acee2", "status": "ACTIVE", "sub_status": "Unknown", "sub_status_message": "Unknown", "type": "key", "updated": "2015-10-20T18:38:47" } ], "total": 2 } ``` -------------------------------- ### Retrieve Order Source: https://github.com/openstack/barbican/blob/master/api-guide/source/orders.md Example of retrieving an order using the order reference. ```bash curl -H "X-Auth-Token: $TOKEN" -H 'Accept:application/json' \ http://localhost:9311/v1/orders/3a5c6748-44de-4c1c-9e54-085c3f79e942 ``` -------------------------------- ### Retrieve Project Quota Information for a Single Project Source: https://github.com/openstack/barbican/blob/master/api-guide/source/quotas.md Demonstrates how to get project quota information for a specific project using a GET request. ```bash Request: curl -i -X GET -H "X-Auth-Token:$TOKEN" \ -H "Accept:application/json" \ http://localhost:9311/v1/project-quotas/1234 Response: HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 {"project_quotas": {"secrets": 500, "orders": 100, "containers": -1, "consumers": 100, "cas": 50}} ``` -------------------------------- ### Create RSA Container Source: https://github.com/openstack/barbican/blob/master/api-guide/source/containers.md Example of creating an RSA container with required secret references. ```bash curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type:application/json" -d '{ "type": "rsa", "name": "rsa container", "secret_refs": [ { "name": "public_key", "secret_ref": "http://localhost:9311/v1/secrets/f91b84ac-fb19-416b-87dc-e7e41b7f6039" }, { "name": "private_key", "secret_ref": "http://localhost:9311/v1/secrets/feac9896-49e9-49e0-9484-1a6153c9498b" }, { "name": "private_key_passphrase", "secret_ref": "http://localhost:9311/v1/secrets/f1106c5b-0347-4197-8947-d9e392bf74a3" } ] }' http://localhost:9311/v1/containers ``` ```bash {"container_ref": "http://localhost:9311/v1/containers/0fecaec4-7cd7-4e70-a760-cc7eaf5c3afb"} ``` -------------------------------- ### Create Dogtag CA Source: https://github.com/openstack/barbican/blob/master/doc/source/configuration/dogtag_setup.rst Sets up a Dogtag CA using reasonable defaults to run in an Apache Tomcat instance. ```bash mkdir -p /etc/dogtag cat > /etc/dogtag/ca.cfg < /etc/dogtag/kra.cfg < Accept: application/json Response: 200 OK Content-Type: application/json { "project_quotas": [ { "project_id": "1234", "project_quotas": { "secrets": 2000, "orders": 0, "containers": -1, ``` -------------------------------- ### Build Barbican documentation Source: https://github.com/openstack/barbican/blob/master/doc/source/contributor/dev.rst Builds the HTML documentation for Barbican using tox. ```bash tox -e docs ``` -------------------------------- ### Retrieve Container ACL Source: https://github.com/openstack/barbican/blob/master/api-guide/source/acls.md Example of how to retrieve the ACL data for a specific container using a GET request. ```bash Request: curl -X GET -H 'X-Auth-Token:b44636bff48c41bbb80f459df69c11aa' \ http://localhost:9311/v1/containers/8c077991-d524-4e15-8eaf-bc0c3bb225f2/acl Response: HTTP/1.1 200 OK { "read":{ "updated":"2015-05-12T20:05:17.214948", "created":"2015-05-12T19:47:20.018657", "users":[ "721e27b8505b499e8ab3b38154705b9e", "c1d20e4b7e7d4917aee6f0832152269b", "2d0ee7c681cc4549b6d76769c320d91f" ], "project-access":false } } ``` -------------------------------- ### Retrieve Secret ACL Source: https://github.com/openstack/barbican/blob/master/api-guide/source/acls.md Example of how to retrieve the ACL data for a specific secret using a GET request. ```bash Request: curl -X GET -H 'X-Auth-Token:b44636bff48c41bbb80f459df69c11aa' \ http://localhost:9311/v1/secrets/15621a1b-efdf-41d8-92dc-356cec8e9da9/acl Response: HTTP/1.1 200 OK { "read":{ "updated":"2015-05-12T20:08:47.644264", "created":"2015-05-12T19:23:44.019168", "users":[ "c1d20e4b7e7d4917aee6f0832152269b", "2d0ee7c681cc4549b6d76769c320d91f" ], "project-access":false } } ``` -------------------------------- ### Install the packages Source: https://github.com/openstack/barbican/blob/master/doc/source/install/install-ubuntu.rst Installs the necessary Barbican packages on Ubuntu. ```console # apt-get update # apt-get install barbican-api barbican-keystone-listener barbican-worker ``` -------------------------------- ### Example request to Barbican API Source: https://github.com/openstack/barbican/blob/master/doc/source/contributor/dev.rst Demonstrates how to make a request to the Barbican API using curl, including the required X-Project-Id header. ```bash curl -v -H 'X-Project-Id: 12345' \ -H 'Accept: application/json' \ http://localhost:9311/v1/secrets ``` -------------------------------- ### GET /v1/secret-stores/global-default Request/Response Example Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/store_backends.rst Example of a GET request to retrieve the global default secret store and its corresponding JSON response. ```javascript Request: GET /v1/secret-stores/global-default Headers: X-Auth-Token: "f9cf2d480ba3485f85bdb9d07a4959f1" Accept: application/json Response: HTTP/1.1 200 OK Content-Type: application/json { "status": "ACTIVE", "updated": "2016-08-22T23:46:45.114283", "name": "PKCS11 HSM", "created": "2016-08-22T23:46:45.114283", "secret_store_ref": "http://localhost:9311/v1/secret-stores/4d27b7a7-b82f-491d-88c0-746bd67dadc8", "global_default": True, "crypto_plugin": "p11_crypto", "secret_store_plugin": "store_crypto" } ``` -------------------------------- ### Set up a virtual environment and install Barbican Source: https://github.com/openstack/barbican/blob/master/doc/source/contributor/dev.rst Clones the Barbican repository, creates and activates a virtual environment, and installs Barbican in development mode. ```bash # Clone barbican source git clone https://opendev.org/openstack/barbican cd barbican # Create and activate a virtual environment virtualenv .barbicanenv . .barbicanenv/bin/activate # Install barbican in development mode pip install -e $PWD ``` -------------------------------- ### Run the Barbican development server Source: https://github.com/openstack/barbican/blob/master/doc/source/contributor/dev.rst Starts the Barbican API development server, which will listen on http://localhost:9311. ```bash bin/barbican-api ``` -------------------------------- ### Secrets List Request Example Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/secrets.rst Example of a GET request to list secrets with pagination and sorting parameters. ```javascript GET /v1/secrets?offset=1&limit=2&sort=created Headers: Accept: application/json X-Auth-Token: {keystone_token} (or X-Project-Id: {project id}) ``` -------------------------------- ### View help page for pkcs11-key-generation Source: https://github.com/openstack/barbican/blob/master/doc/source/admin/pkcs11keygeneration.rst Viewing the help page provides awareness of the script's structure and informs about any changes. ```bash $ pkcs11-key-generation --help usage: pkcs11-key-generation [-h] [--library-path LIBRARY_PATH] [--passphrase PASSPHRASE] [--slot-id SLOT_ID] {mkek,hmac} ... Barbican MKEK & HMAC Generator optional arguments: -h, --help show this help message and exit --library-path LIBRARY_PATH Path to vendor PKCS11 library --passphrase PASSPHRASE Password to login to PKCS11 session --slot-id SLOT_ID HSM Slot id (Should correspond to a configured PKCS11 slot) subcommands: Action to perform {mkek,hmac} mkek Generates a new MKEK. hmac Generates a new HMAC. ``` -------------------------------- ### GET /v1/project-quotas/{uuid} Request/Response Example Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/quotas.rst Example of a request to retrieve project quota information and a sample JSON response. ```javascript Request: GET /v1/project-quotas/{uuid} Headers: X-Auth-Token: Accept: application/json Response: 200 OK Content-Type: application/json { "project_quotas": { "secrets": 10, "orders": 20, "containers": -1, "consumers": 10, "cas": 5 } } ``` -------------------------------- ### Restart the Key Manager services Source: https://github.com/openstack/barbican/blob/master/doc/source/install/install-ubuntu.rst Restarts the Barbican services and Apache to apply changes. ```console # service barbican-keystone-listener restart # service barbican-worker restart # service apache2 restart ``` -------------------------------- ### Generate Sample Configuration Source: https://github.com/openstack/barbican/blob/master/etc/barbican/README.barbican.conf.txt Command to generate the sample barbican.conf file. ```bash tox -egenconfig ``` -------------------------------- ### Simple Crypto Plugin Configuration Example Source: https://github.com/openstack/barbican/blob/master/api-guide/source/2025.1.md Example of how to configure multiple Key-Encryption-Keys (KEKs) for the Simple Crypto Plugin, where the first key is active for encryption and subsequent keys are for decryption. ```default [simple_crypto_plugin] # First key is used for ecnrypting new data kek = Yl1EKQ5e4VpK3X7lbWF249GDsk0mrL929P-Mnnz-bdc= # Additionak keys used for decrypting existing data kek = AfXmy1NEfzmtJEYVGrQJ0C2-dr8S0lFoNBX5Vb7MC44= kek = Ua4Y8ryfamShYT_TzxSjok9Tl11OWFSk3whOSY-TIaw= ``` -------------------------------- ### Example Enable Plugin Source: https://github.com/openstack/barbican/blob/master/devstack/README.md Example of enabling the Barbican plugin with a specific Git URL and reference. ```bash enable_plugin barbican https://opendev.org/openstack/barbican stable/zed ``` -------------------------------- ### RSA Container Example Source: https://github.com/openstack/barbican/blob/master/api-guide/source/containers.md An example JSON object for an RSA container, used to store RSA public keys, private keys, and their corresponding passphrases. ```json { "type": "rsa", "status": "ACTIVE", "name": "John Smith RSA", "consumers": [], "container_ref": "https://{barbican_host}/v1/containers/{uuid}", "secret_refs": [ { "name": "private_key", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" }, { "name": "private_key_passphrase", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" }, { "name": "public_key", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" } ], "created": "2015-03-30T21:10:45.417835", "updated": "2015-03-30T21:10:45.417835" } ``` -------------------------------- ### Certificate Container Example Source: https://github.com/openstack/barbican/blob/master/api-guide/source/containers.md An example JSON object for a certificate container, designed to store secrets related to certificates, such as the certificate itself, private key, and intermediates. ```json { "type": "certificate", "status": "ACTIVE", "name": "Example.com Certificates", "consumers": [], "container_ref": "https://{barbican_host}/v1/containers/{uuid}", "secret_refs": [ { "name": "certificate", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" }, { "name": "private_key", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" }, { "name": "private_key_passphrase", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" }, { "name": "intermediates", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" } ], "created": "2015-03-30T21:10:45.417835", "updated": "2015-03-30T21:10:45.417835" } ``` -------------------------------- ### Run Barbican unit tests Source: https://github.com/openstack/barbican/blob/master/doc/source/contributor/dev.rst Executes the unit test suite for Barbican using tox. ```bash tox -e py36 ``` -------------------------------- ### Create the barbican database Source: https://github.com/openstack/barbican/blob/master/doc/source/install/common_prerequisites.rst Create a new database named 'barbican'. ```console CREATE DATABASE barbican; ``` -------------------------------- ### GET /v1/containers/{uuid} Response Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/containers.rst Example response for retrieving a container by its UUID. ```javascript { "type": "generic", "status": "ACTIVE", "name": "container name", "consumers": [], "container_ref": "https://{barbican_host}/v1/containers/{uuid}", "secret_refs": [ { "name": "private_key", "secret_ref": "https://{barbican_host}/v1/secrets/{uuid}" } ], "created": "2015-03-26T21:10:45.417835", "updated": "2015-03-26T21:10:45.417835" } ``` -------------------------------- ### Create Directory Server Instance for Dogtag Internal DB Source: https://github.com/openstack/barbican/blob/master/doc/source/configuration/dogtag_setup.rst Configures a 389 directory server instance to be used as an internal database for Dogtag CA and KRA subsystems. ```bash mkdir -p /etc/389-ds cat > /etc/389-ds/setup.inf < Accept: application/json Response: HTTP/1.1 200 OK Content-Type: application/json { "quotas": { "secrets": 10, "orders": 20, "containers": 10, "consumers": -1, "cas": 5 } } ``` -------------------------------- ### Retrieve Order Metadata Request Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/orders.rst Example of a GET request to retrieve an order's metadata. ```javascript GET /v1/orders/{order_uuid} Headers: Accept: application/json X-Auth-Token: {token} ``` -------------------------------- ### Barbican Configuration File Sample Source: https://github.com/openstack/barbican/blob/master/doc/source/sample_config.rst This is a sample of the barbican.conf file, used for configuring Key Manager service options. ```ini .. literalinclude:: _static/barbican.conf.sample ``` -------------------------------- ### Install the packages Source: https://github.com/openstack/barbican/blob/master/doc/source/install/install-rdo.rst Install the Barbican API package. ```console # dnf install openstack-barbican-api ``` -------------------------------- ### Order Reference Response Source: https://github.com/openstack/barbican/blob/master/api-guide/source/orders.md Example response after placing an order, containing the order reference. ```json {"order_ref": "http://localhost:9311/v1/orders/3a5c6748-44de-4c1c-9e54-085c3f79e942"} ``` -------------------------------- ### GET /v1/secret-stores/preferred Request/Response Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/store_backends.rst Example request and response for retrieving a reference to the preferred secret store. ```javascript Request: GET /v1/secret-stores/preferred Headers: X-Auth-Token: "f9cf2d480ba3485f85bdb9d07a4959f1" Accept: application/json Response: HTTP/1.1 200 OK Content-Type: application/json { "status": "ACTIVE", "updated": "2016-08-22T23:46:45.114283", "name": "PKCS11 HSM", "created": "2016-08-22T23:46:45.114283", "secret_store_ref": "http://localhost:9311/v1/secret-stores/4d27b7a7-b82f-491d-88c0-746bd67dadc8", "global_default": True, "crypto_plugin": "p11_crypto", "secret_store_plugin": "store_crypto" ``` -------------------------------- ### GET /v1/secret-stores Request/Response Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/store_backends.rst Example request and response for listing available secret store backends. ```javascript Request: GET /secret-stores Headers: X-Auth-Token: "f9cf2d480ba3485f85bdb9d07a4959f1" Accept: application/json Response: HTTP/1.1 200 OK Content-Type: application/json { "secret_stores":[ { "status": "ACTIVE", "updated": "2016-08-22T23:46:45.114283", "name": "PKCS11 HSM", "created": "2016-08-22T23:46:45.114283", "secret_store_ref": "http://localhost:9311/v1/secret-stores/4d27b7a7-b82f-491d-88c0-746bd67dadc8", "global_default": True, "crypto_plugin": "p11_crypto", "secret_store_plugin": "store_crypto" }, { "status": "ACTIVE", "updated": "2016-08-22T23:46:45.124554", "name": "KMIP HSM", "created": "2016-08-22T23:46:45.124554", "secret_store_ref": "http://localhost:9311/v1/secret-stores/93869b0f-60eb-4830-adb9-e2f7154a080b", "global_default": False, "crypto_plugin": None, "secret_store_plugin": "kmip_plugin" }, { "status": "ACTIVE", "updated": "2016-08-22T23:46:45.127866", "name": "Software Only Crypto", "created": "2016-08-22T23:46:45.127866", "secret_store_ref": "http://localhost:9311/v1/secret-stores/0da45858-9420-42fe-a269-011f5f35deaa", "global_default": False, "crypto_plugin": "simple_crypto", "secret_store_plugin": "store_crypto" } } ``` -------------------------------- ### GET /v1/secrets/{uuid}/metadata Response Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/secret_metadata.rst Example response for a successful retrieval of secret metadata. ```javascript { 'metadata': { 'description': 'contains the AES key', 'geolocation': '12.3456, -98.7654' } } ``` -------------------------------- ### List Secret Consumers Request Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/secret_consumers.rst Example of a GET request to list a secret's consumers. ```javascript GET {secret_ref}/consumers Headers: X-Auth-Token: ``` -------------------------------- ### GET /v1/secrets/{uuid}/metadata Request Source: https://github.com/openstack/barbican/blob/master/doc/source/api/reference/secret_metadata.rst Example request for retrieving a secret's metadata. ```javascript GET /v1/secrets/{uuid}/metadata Headers: Accept: application/json X-Auth-Token: ```