Bug 1204501
| Summary: | [RFE] Add Password Vault (KRA) functionality | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | unspecified | Docs Contact: | Aneta Šteflová Petrová <apetrova> | |
| Priority: | medium | |||
| Version: | 7.0 | CC: | edewata, jcholast, mbasti, mnavrati, pvoborni, rcritten, spoore | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.2.0-4.el7 | Doc Type: | Release Note | |
| Doc Text: |
Password Vault
A new feature to allow secure central storage of private user information, such as passwords and keys has been added to Identity Management. Password Vault is built on top of the Public Key Infrastructure (PKI) Key Recovery Authority (KRA) subsystem.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1249091 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 12:02:13 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1248675 | |||
| Bug Blocks: | 1181710 | |||
|
Description
Martin Kosek
2015-03-22 17:18:31 UTC
master: https://fedorahosted.org/freeipa/changeset/81729e22d35c5313e85081b6b3e8658b3d542af1 https://fedorahosted.org/freeipa/changeset/e7ac57e1390c76c3d7fdb2710808def107d21d6d master: https://fedorahosted.org/freeipa/changeset/fc5c614950dd39c7d002377f810f37ef36b0e8a4 https://fedorahosted.org/freeipa/changeset/475ade4becd4cdb59a9bcf0da7de1d2739e293c8 https://fedorahosted.org/freeipa/changeset/bf6df3df9b388753a52a0040d9c15b1eabce41ca The first implementation of the feature was finished upstream: https://fedorahosted.org/freeipa/ticket/3872#comment:27 Next enhancements will be done in next releases, based on user feedback and project planning. Upstream ticket: https://fedorahosted.org/freeipa/ticket/5150 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5155 Fixed upstream #5155 ipa-4-2: https://fedorahosted.org/freeipa/changeset/2d7565eec6dce67263d3d2b25bf098b680a51f82 master: https://fedorahosted.org/freeipa/changeset/8e28ddd8fab40e985756729f23e8f352d2dab071 Marking this one back to assigned since I'm blocked by bug #1248675. Upstream ticket: https://fedorahosted.org/freeipa/ticket/5172 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5174 Ticket 5174 fixed upstream master: https://fedorahosted.org/freeipa/changeset/c8882f7d1c98a795195e7bd2e48323ce95edc858 ipa-4-2: https://fedorahosted.org/freeipa/changeset/ad6a87e05857d60cbc9c22f426397e37ef11c2ac Unlinking tickets 5150 and 5172, as they have not been fixed upstream yet and are not critical for this RFE. Verified.
Version ::
ipa-server-4.2.0-5.el7.x86_64
Results ::
Vaults
Manage vaults.
Vault is a secure place to store a secret.
Based on the ownership there are three vault categories:
* user/private vault
* service vault
* shared vault
User vaults are vaults owned used by a particular user. Private
vaults are vaults owned the current user. Service vaults are
vaults owned by a service. Shared vaults are owned by the admin
but they can be used by other users or services.
Based on the security mechanism there are three types of
vaults:
* standard vault
* symmetric vault
* asymmetric vault
Standard vault uses a secure mechanism to transport and
store the secret. The secret can only be retrieved by users
that have access to the vault.
Symmetric vault is similar to the standard vault, but it
pre-encrypts the secret using a password before transport.
The secret can only be retrieved using the same password.
Asymmetric vault is similar to the standard vault, but it
pre-encrypts the secret using a public key before transport.
The secret can only be retrieved using the private key.
EXAMPLES:
List vaults:
ipa vault-find
[--user <user>|--service <service>|--shared]
Add a standard vault:
ipa vault-add <name>
[--user <user>|--service <service>|--shared]
Add a symmetric vault:
ipa vault-add <name>
[--user <user>|--service <service>|--shared]
--type symmetric --password-file password.txt
Add an asymmetric vault:
ipa vault-add <name>
[--user <user>|--service <service>|--shared]
--type asymmetric --public-key-file public.pem
Show a vault:
ipa vault-show <name>
[--user <user>|--service <service>|--shared]
Modify a vault:
ipa vault-mod <name>
[--user <user>|--service <service>|--shared]
--desc <description>
Delete a vault:
ipa vault-del <name>
[--user <user>|--service <service>|--shared]
Display vault configuration:
ipa vaultconfig-show
Archive data into standard vault:
ipa vault-archive <name>
[--user <user>|--service <service>|--shared]
--in <input file>
Archive data into symmetric vault:
ipa vault-archive <name>
[--user <user>|--service <service>|--shared]
--in <input file>
--password-file password.txt
Archive data into asymmetric vault:
ipa vault-archive <name>
[--user <user>|--service <service>|--shared]
--in <input file>
Retrieve data from standard vault:
ipa vault-retrieve <name>
[--user <user>|--service <service>|--shared]
--out <output file>
Retrieve data from symmetric vault:
ipa vault-retrieve <name>
[--user <user>|--service <service>|--shared]
--out <output file>
--password-file password.txt
Retrieve data from asymmetric vault:
ipa vault-retrieve <name>
[--user <user>|--service <service>|--shared]
--out <output file> --private-key-file private.pem
Add vault owners:
ipa vault-add-owner <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
Delete vault owners:
ipa vault-remove-owner <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
Add vault members:
ipa vault-add-member <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
Delete vault members:
ipa vault-remove-member <name>
[--user <user>|--service <service>|--shared]
[--users <users>] [--groups <groups>] [--services <services>]
Topic commands:
vault-add Create a new vault.
vault-add-member Add members to a vault.
vault-add-owner Add owners to a vault.
vault-archive Archive data into a vault.
vault-del Delete a vault.
vault-find Search for vaults.
vault-mod Modify a vault.
vault-remove-member Remove members from a vault.
vault-remove-owner Remove owners from a vault.
vault-retrieve Retrieve a data from a vault.
vault-show Display information about a vault.
vaultconfig-show Show vault configuration.
To get command help, use:
ipa <command> --help
[root@master /]# ipa vault-add --type=symmetric --password="Test12345" testvault
-----------------------
Added vault "testvault"
-----------------------
Vault name: testvault
Type: symmetric
Salt: v8nxYSOo2sQE4XkfxcdStw==
Owner users: admin
Vault user: admin
[root@master /]# ipa vault-archive testvault --password="Test12345" --data=$(echo "My Secret"|base64)
------------------------------------
Archived data into vault "testvault"
------------------------------------
[root@master /]# ipa vault-retrieve testvault --password="Test12345" --out=/tmp/testvault.out
-------------------------------------
Retrieved data from vault "testvault"
-------------------------------------
[root@master /]# cat /tmp/testvault.out
My Secret
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |