Bug 2120686

Summary: Keylime configuration is too complex
Product: Red Hat Enterprise Linux 9 Reporter: Anderson Sasaki <ansasaki>
Component: keylimeAssignee: Anderson Sasaki <ansasaki>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: ansasaki, dueno, jwboyer, lvrabec, mthacker, pvlasin, scorreia
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: keylime-6.5.0-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2123360 (view as bug list) Environment:
Last Closed: 2022-11-15 10:34:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2123360    

Description Anderson Sasaki 2022-08-23 14:22:05 UTC 
Description of problem:
Keylime configuration file is confusing and does not have an intuitive option naming. The TLS configuration for the components is confusing, making difficult to the user to create the intended configuration. Moreover, Keylime uses a single configuration file for all components, making it even more confusing when the user wants to deploy each component in a different machine.

Keylime should use individual configuration files for each component, with intuitive option naming, and easy TLS configuration. A proposal for such changes is approved upstream and available in [1].

If the changes are not introduced with Keylime since the beginning (from RHEL-9.1), both the old and new configuration file formats will have to be supported during the whole RHEL-9 lifetime.

[1] https://github.com/keylime/enhancements/blob/master/72_config_and_simplify_tls.md

Version-Release number of selected component (if applicable):
keylime-6.4.2-2.el9

How reproducible:
deterministic

Steps to Reproduce:
1. Open the configuration file installed at /etc/keylime.conf

Actual results:
The configuration for all components are in the /etc/keylime.conf file.
The TLS configuration for each component is confusing.
The options names are not intuitive.

Expected results:
The configuration for each component is in an individual file.
The TLS configuration is clear and simple.
The options names are intuitive, and their purposes are documented.

Additional info:
Comment 17 errata-xmlrpc 2022-11-15 10:34:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (keylime bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8189