### Install Dogtag Packages (Fedora/RHEL/Centos) Source: https://docs.openstack.org/barbican/latest/configuration/dogtag_setup.html Installs the required Dogtag packages on Fedora/RHEL/Centos platforms. ```bash dnf install pki-ca pki-kra 389-ds-base ``` -------------------------------- ### Start Apache HTTP service Source: https://docs.openstack.org/barbican/latest/install/install-rdo.html Start the Apache HTTP service and configure it to start on system boot. ```bash # systemctl enable httpd.service ``` -------------------------------- ### GET /v1/orders Request Example Source: https://docs.openstack.org/barbican/latest/api/reference/orders.html Example of a GET request to list orders, including necessary headers. ```http GET /v1/orders Headers: Content-Type: application/json X-Auth-Token: {token} ``` -------------------------------- ### Create Dogtag CA Source: https://docs.openstack.org/barbican/latest/configuration/dogtag_setup.html Sets up a Dogtag CA using default configurations for an Apache Tomcat instance. ```bash mkdir -p /etc/dogtag cat > /etc/dogtag/ca.cfg < Accept: application/json Response: 200 OK Content-Type: application/json { "project_quotas": [ { "project_id": "1234", "project_quotas": { "secrets": 2000, "orders": 0, "containers": -1, "consumers": null, "cas": null } }, { "project_id": "5678", "project_quotas": { "secrets": 200, "orders": 100, "containers": -1, "consumers": null, "cas": null } }, ], "total" : 30, } ``` -------------------------------- ### Create Directory Server Instance for Dogtag Internal DB Source: https://docs.openstack.org/barbican/latest/configuration/dogtag_setup.html Configures a 389 directory server instance to be used as an internal database for Dogtag CA and KRA subsystems. ```bash mkdir -p /etc/389-ds cat > /etc/389-ds/setup.inf < /etc/dogtag/kra.cfg < Accept: application/json Response: HTTP/1.1 200 OK Content-Type: application/json { "quotas": { "secrets": 10, "orders": 20, "containers": 10, "consumers": -1, "cas": 5 } } ``` -------------------------------- ### GET /v1/secret-stores/{secret_store_id} Request/Response Example Source: https://docs.openstack.org/barbican/latest/api/reference/store_backends.html Example of a GET request to retrieve details of a specific secret store by its ID and its corresponding JSON response. ```http GET /secret-stores/93869b0f-60eb-4830-adb9-e2f7154a080b Headers: X-Auth-Token: "f9cf2d480ba3485f85bdb9d07a4959f1" Accept: application/json Response: HTTP/1.1 200 OK Content-Type: application/json { "status": "ACTIVE", "updated": "2016-08-22T23:46:45.124554", "name": "KMIP HSM", "created": "2016-08-22T23:46:45.124554", "secret_store_ref": "http://localhost:9311/v1/secret-stores/93869b0f-60eb-4830-adb9-e2f7154a080b", "global_default": False, "crypto_plugin": None, "secret_store_plugin": "kmip_plugin" } ``` -------------------------------- ### OperationalError Example Source: https://docs.openstack.org/barbican/latest/configuration/troubleshooting.html An example of the error message when the sqlite database file cannot be opened. ```text ... File "./site-packages/sqlalchemy/engine/strategies.py", line 80, in connect return dialect.connect(*cargs, **cparams) File "./site-packages/sqlalchemy/engine/default.py", line 283, in connect return self.dbapi.connect(*cargs, **cparams) OperationalError: (OperationalError) unable to open database file None None [emperor] removed uwsgi instance barbican-api.ini ... ``` -------------------------------- ### Create the `barbican` database Source: https://docs.openstack.org/barbican/latest/install/install-ubuntu.html This snippet shows how to create the `barbican` database. ```sql CREATE DATABASE barbican; ``` -------------------------------- ### pkcs11-key-generation help command Source: https://docs.openstack.org/barbican/latest/admin/pkcs11keygeneration.html Displays the help message for the pkcs11-key-generation script, outlining its arguments and subcommands for MKEK and HMAC generation. ```bash $ pkcs11-key-generation --help usage: pkcs11-key-generation [-h] [--library-path LIBRARY_PATH] [--passphrase PASSPHRASE] [--slot-id SLOT_ID] {mkek,hmac} ... Barbican MKEK & HMAC Generator optional arguments: -h, --help show this help message and exit --library-path LIBRARY_PATH Path to vendor PKCS11 library --passphrase PASSPHRASE Password to login to PKCS11 session --slot-id SLOT_ID HSM Slot id (Should correspond to a configured PKCS11 slot) subcommands: Action to perform {mkek,hmac} mkek Generates a new MKEK. hmac Generates a new HMAC. ``` -------------------------------- ### GET /v1/secrets/{uuid}/payload Response Example Source: https://docs.openstack.org/barbican/latest/api/reference/secrets.html Example of a successful response when retrieving the secret payload. ```text 200 OK beer ``` -------------------------------- ### Example unauthenticated request to Barbican Source: https://docs.openstack.org/barbican/latest/contributor/dev.html Demonstrates how to make a request to the Barbican API without authentication, using the X-Project-Id header. ```bash curl -v -H 'X-Project-Id: 12345' \ -H 'Accept: application/json' \ http://localhost:9311/v1/secrets ``` -------------------------------- ### Install the packages Source: https://docs.openstack.org/barbican/latest/install/install-rdo.html Install the necessary packages for the Key Manager service. ```bash # dnf install openstack-barbican-api ``` -------------------------------- ### GET /v1/secrets/{uuid} Response Example (Metadata) Source: https://docs.openstack.org/barbican/latest/api/reference/secrets.html Example of a successful response when retrieving secret metadata. ```json { "status": "ACTIVE", "created": "2015-03-23T20:46:51.650515", "updated": "2015-03-23T20:46:51.654116", "expiration": "2015-12-28T19:14:44.180394", "algorithm": "aes", "bit_length": 256, "mode": "cbc", "name": "AES key", "secret_ref": "https://{barbican_host}/v1/secrets/{secret_uuid}", "secret_type": "opaque", "content_types": { "default": "application/octet-stream" } } ``` -------------------------------- ### GET /v1/secrets/{uuid} Request Example (Metadata) Source: https://docs.openstack.org/barbican/latest/api/reference/secrets.html Example of a request to retrieve a secret's metadata. ```http GET /v1/secrets/{uuid} Headers: Accept: application/json X-Auth-Token: {token} (or X-Project-Id: {project_id}) ``` -------------------------------- ### Create the `barbican` database Source: https://docs.openstack.org/barbican/latest/install/install-ubuntu.html This snippet shows how to create the `barbican` database using the MySQL client. ```bash # mysql ``` -------------------------------- ### Create the barbican database Source: https://docs.openstack.org/barbican/latest/install/install-rdo.html Steps to create the database and grant access privileges. ```bash # mysql ``` ```bash CREATE DATABASE barbican; ``` ```bash GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \ IDENTIFIED BY 'BARBICAN_DBPASS'; GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \ IDENTIFIED BY 'BARBICAN_DBPASS'; ``` ```bash exit; ``` -------------------------------- ### TypeError Example Source: https://docs.openstack.org/barbican/latest/configuration/troubleshooting.html An example of the error message seen when a responder raises a TypeError due to a NoneType object. ```text ... 2013-04-14 14:17:56 [FALCON] [ERROR] POST \ /da71dfbc-a959-4ad3-bdab-5ee190ce7515/csrs? => Responder raised \ TypeError: 'NoneType' object has no attribute '__getitem__' ``` -------------------------------- ### Malformed JSON Example Source: https://docs.openstack.org/barbican/latest/configuration/troubleshooting.html An example of the JSON error response when the Barbican REST server cannot parse incoming JSON. ```json { "title": "Malformed JSON" } ``` -------------------------------- ### Crontab Examples Source: https://docs.openstack.org/barbican/latest/admin/database_cleaning.html Examples of cron job configurations for the `barbican-manage db clean` command. ```bash 00 00 * * * barbican-manage db clean -p -e ``` ```bash 00 03 01 * * barbican-manage db clean -m 30 ``` ```bash 05 01 07 * 6 barbican-manage db clean -m 180 -p -e -L /tmp/barbican-clean-command.log ``` -------------------------------- ### GET /v1/orders/{uuid} Response Example Source: https://docs.openstack.org/barbican/latest/api/reference/orders.html Example of a successful (200 OK) response when retrieving an order's metadata. ```json { "created": "2015-10-20T18:49:02", "creator_id": "40540f978fbd45c1af18910e3e02b63f", "meta": { "algorithm": "AES", "bit_length": 256, "expiration": null, "mode": "cbc", "name": "secretname", "payload_content_type": "application/octet-stream" }, "order_ref": "http://localhost:9311/v1/orders/5443d349-fe0c-4bfd-bd9d-99c4a9770638", "secret_ref": "http://localhost:9311/v1/secrets/16f8d4f3-d3dd-4160-a5bd-8e5095a42613", "status": "ACTIVE", "sub_status": "Unknown", "sub_status_message": "Unknown", "type": "key", "updated": "2015-10-20T18:49:02" } ``` -------------------------------- ### Install development tools and dependency build requirements on Ubuntu 15.10 Source: https://docs.openstack.org/barbican/latest/contributor/dev.html Installs git, python-tox, libffi-dev, libssl-dev, python-dev, and gcc. ```bash # Install development tools sudo apt-get install git python-tox # Install dependency build requirements sudo apt-get install libffi-dev libssl-dev python-dev gcc ``` -------------------------------- ### ImportError: No module named barbican.api.app Example Source: https://docs.openstack.org/barbican/latest/configuration/troubleshooting.html An example of Python 'can't find module errors' with uWSGI scripts. ```text *** has_emperor mode detected (fd: 6) *** ... !!! UNABLE to load uWSGI plugin: dlopen(./python_plugin.so, 10): image not found !!! ... File "./site-packages/paste/deploy/loadwsgi.py", line 22, in import_string return pkg_resources.EntryPoint.parse("x=" + s).load(False) File "./site-packages/distribute-0.6.35-py2.7.egg/pkg_resources.py", line 2015, in load entry = __import__(self.module_name, globals(),globals(), ['__name__']) ImportError: No module named barbican.api.app ... *** Starting uWSGI 1.9.13 (64bit) on [Fri Jul 5 09:59:29 2013] *** ``` -------------------------------- ### GET /v1/secrets/{uuid}/payload Request Example Source: https://docs.openstack.org/barbican/latest/api/reference/secrets.html Example of a request to retrieve the actual payload of a secret by setting the Accept header. ```http GET /v1/secrets/{uuid} Headers: Accept: application/octet-stream X-Auth-Token: ``` -------------------------------- ### Start DevStack Source: https://docs.openstack.org/barbican/latest/contributor/devstack.html Command to start the DevStack environment. ```bash ./stack.sh ``` -------------------------------- ### List Secrets Request Example Source: https://docs.openstack.org/barbican/latest/api/reference/secrets.html Example of an HTTP GET request to list secrets with pagination and sorting parameters, including necessary headers. ```http GET /v1/secrets?offset=1&limit=2&sort=created Headers: Accept: application/json X-Auth-Token: {keystone_token} (or X-Project-Id: {project id}) ``` -------------------------------- ### Create the `creator` role Source: https://docs.openstack.org/barbican/latest/install/install-ubuntu.html This snippet shows how to create the `creator` role. ```bash $ openstack role create creator ``` -------------------------------- ### GET /v1/containers/{uuid}/acl Request/Response (With no ACL defined) Source: https://docs.openstack.org/barbican/latest/api/reference/acls.html Example of a GET request to retrieve ACL for a container when no ACL is defined, and its successful response. ```http GET /v1/containers/{uuid}/acl Headers: X-Auth-Token: {token_id} Response: HTTP/1.1 200 OK { "read":{ "project-access": true } } ``` -------------------------------- ### Install Git Source: https://docs.openstack.org/barbican/latest/contributor/devstack.html Commands to install git on Debian/Ubuntu and CentOS systems. ```bash # Debian/Ubuntu sudo apt-get install git # CentOS sudo dnf install git ``` -------------------------------- ### GET /v1/containers/{uuid}/acl Request/Response (With ACL defined) Source: https://docs.openstack.org/barbican/latest/api/reference/acls.html Example of a GET request to retrieve ACL for a container when an ACL is defined, and its successful response. ```http GET /v1/containers/{uuid}/acl Headers: X-Auth-Token: {token_id} Response: HTTP/1.1 200 OK { "read":{ "updated":"2015-05-12T20:08:47.644264", "created":"2015-05-12T19:23:44.019168", "users":[ {user_id1}, {user_id2}, ..... ], "project-access":{project-access-flag} } } ``` -------------------------------- ### Create a new database version file Source: https://docs.openstack.org/barbican/latest/admin/barbican_manage.html Creates a new database version file. ```bash barbican-manage db revision [--db-url] [--message] [--autogenerate] ``` -------------------------------- ### Create an RSA keypair for public secret storage Source: https://docs.openstack.org/barbican/latest/api/reference/secret_types.html This example shows the initial step of creating an RSA keypair using the openssl command-line tool, which is a prerequisite for storing the public key in Barbican. ```bash # Create the RSA keypair openssl genrsa -out private.pem 2048 ``` -------------------------------- ### GET /v1/project-quotas/{uuid} Request/Response Source: https://docs.openstack.org/barbican/latest/api/reference/quotas.html Example request and response for retrieving project-specific quotas. ```http Request: GET /v1/project-quotas/{uuid} Headers: X-Auth-Token: Accept: application/json Response: 200 OK Content-Type: application/json { "project_quotas": { "secrets": 10, "orders": 20, "containers": -1, "consumers": 10, "cas": 5 } } ```