1204501 – [RFE] Add Password Vault (KRA) functionality

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1204501 - [RFE] Add Password Vault (KRA) functionality

Summary: [RFE] Add Password Vault (KRA) functionality

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:	Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:	1248675
Blocks:	1181710
TreeView+	depends on / blocked

Reported:	2015-03-22 17:18 UTC by Martin Kosek
Modified:	2015-11-19 12:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-4.2.0-4.el7
Doc Type:	Release Note
Doc Text:	Password Vault A new feature to allow secure central storage of private user information, such as passwords and keys has been added to Identity Management. Password Vault is built on top of the Public Key Infrastructure (PKI) Key Recovery Authority (KRA) subsystem.
Clone Of:
Clones:	1249091 (view as bug list)
Environment:
Last Closed:	2015-11-19 12:02:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-22 17:18:31 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3872

Add PKI KRA component (Vault) to allow secure central storage of user private information (passwords, keys, ...). The feature will utilize [http://pki.fedoraproject.org/wiki/PKI_Install_Guide#Data_Recovery_Manager_.28DRM.29 Dogtag DRM subsystem].

Related: #4336, #4176, https://fedorahosted.org/389/ticket/47904

Comment 1 Jan Cholasta 2015-05-25 06:18:20 UTC

master:
https://fedorahosted.org/freeipa/changeset/fde21adcbd62b9a300740d9ba237ca9e89a905e4

Comment 2 Jan Cholasta 2015-06-08 10:05:38 UTC

master:
https://fedorahosted.org/freeipa/changeset/df1bd39a43f30138cf55e0e7720fa3dec1d912e0

Comment 3 Jan Cholasta 2015-06-10 16:19:58 UTC

master:
https://fedorahosted.org/freeipa/changeset/81729e22d35c5313e85081b6b3e8658b3d542af1
https://fedorahosted.org/freeipa/changeset/e7ac57e1390c76c3d7fdb2710808def107d21d6d

Comment 4 Jan Cholasta 2015-07-08 06:33:07 UTC

master:
https://fedorahosted.org/freeipa/changeset/fc5c614950dd39c7d002377f810f37ef36b0e8a4
https://fedorahosted.org/freeipa/changeset/475ade4becd4cdb59a9bcf0da7de1d2739e293c8
https://fedorahosted.org/freeipa/changeset/bf6df3df9b388753a52a0040d9c15b1eabce41ca

Comment 5 Martin Kosek 2015-07-08 06:55:50 UTC

The first implementation of the feature was finished upstream:

https://fedorahosted.org/freeipa/ticket/3872#comment:27

Next enhancements will be done in next releases, based on user feedback and project planning.

Comment 7 Petr Vobornik 2015-07-30 08:23:05 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5150

Comment 8 Petr Vobornik 2015-07-30 08:30:03 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5155

Comment 9 Martin Bašti 2015-07-31 13:37:48 UTC

Fixed upstream #5155
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/2d7565eec6dce67263d3d2b25bf098b680a51f82
master:
https://fedorahosted.org/freeipa/changeset/8e28ddd8fab40e985756729f23e8f352d2dab071

Comment 10 Scott Poore 2015-08-04 13:05:25 UTC

Marking this one back to assigned since I'm blocked by bug #1248675.

Comment 11 Jan Cholasta 2015-08-04 13:55:46 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5172

Comment 12 Jan Cholasta 2015-08-04 13:55:51 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5174

Comment 13 Jan Cholasta 2015-08-10 11:05:37 UTC

Ticket 5174 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c8882f7d1c98a795195e7bd2e48323ce95edc858
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/ad6a87e05857d60cbc9c22f426397e37ef11c2ac

Comment 14 Jan Cholasta 2015-08-11 15:13:58 UTC

Unlinking tickets 5150 and 5172, as they have not been fixed upstream yet and are not critical for this RFE.

Comment 20 Scott Poore 2015-08-26 00:49:22 UTC

Verified.

Version ::

ipa-server-4.2.0-5.el7.x86_64

Results ::

Vaults

Manage vaults.

Vault is a secure place to store a secret.

Based on the ownership there are three vault categories:
* user/private vault
* service vault
* shared vault

User vaults are vaults owned used by a particular user. Private
vaults are vaults owned the current user. Service vaults are
vaults owned by a service. Shared vaults are owned by the admin
but they can be used by other users or services.

Based on the security mechanism there are three types of
vaults:
* standard vault
* symmetric vault
* asymmetric vault

Standard vault uses a secure mechanism to transport and
store the secret. The secret can only be retrieved by users
that have access to the vault.

Symmetric vault is similar to the standard vault, but it
pre-encrypts the secret using a password before transport.
The secret can only be retrieved using the same password.

Asymmetric vault is similar to the standard vault, but it
pre-encrypts the secret using a public key before transport.
The secret can only be retrieved using the private key.

EXAMPLES:

 List vaults:
   ipa vault-find
       [--user <user>|--service <service>|--shared]

 Add a standard vault:
   ipa vault-add <name>
       [--user <user>|--service <service>|--shared]

 Add a symmetric vault:
   ipa vault-add <name>
       [--user <user>|--service <service>|--shared]
       --type symmetric --password-file password.txt

 Add an asymmetric vault:
   ipa vault-add <name>
       [--user <user>|--service <service>|--shared]
       --type asymmetric --public-key-file public.pem

 Show a vault:
   ipa vault-show <name>
       [--user <user>|--service <service>|--shared]

 Modify a vault:
   ipa vault-mod <name>
       [--user <user>|--service <service>|--shared]
       --desc <description>

 Delete a vault:
   ipa vault-del <name>
       [--user <user>|--service <service>|--shared]

 Display vault configuration:
   ipa vaultconfig-show

 Archive data into standard vault:
   ipa vault-archive <name>
       [--user <user>|--service <service>|--shared]
       --in <input file>

 Archive data into symmetric vault:
   ipa vault-archive <name>
       [--user <user>|--service <service>|--shared]
       --in <input file>
       --password-file password.txt

 Archive data into asymmetric vault:
   ipa vault-archive <name>
       [--user <user>|--service <service>|--shared]
       --in <input file>

 Retrieve data from standard vault:
   ipa vault-retrieve <name>
       [--user <user>|--service <service>|--shared]
       --out <output file>

 Retrieve data from symmetric vault:
   ipa vault-retrieve <name>
       [--user <user>|--service <service>|--shared]
       --out <output file>
       --password-file password.txt

 Retrieve data from asymmetric vault:
   ipa vault-retrieve <name>
       [--user <user>|--service <service>|--shared]
       --out <output file> --private-key-file private.pem

 Add vault owners:
   ipa vault-add-owner <name>
       [--user <user>|--service <service>|--shared]
       [--users <users>]  [--groups <groups>] [--services <services>]

 Delete vault owners:
   ipa vault-remove-owner <name>
       [--user <user>|--service <service>|--shared]
       [--users <users>] [--groups <groups>] [--services <services>]

 Add vault members:
   ipa vault-add-member <name>
       [--user <user>|--service <service>|--shared]
       [--users <users>] [--groups <groups>] [--services <services>]

 Delete vault members:
   ipa vault-remove-member <name>
       [--user <user>|--service <service>|--shared]
       [--users <users>] [--groups <groups>] [--services <services>]

Topic commands:
  vault-add            Create a new vault.
  vault-add-member     Add members to a vault.
  vault-add-owner      Add owners to a vault.
  vault-archive        Archive data into a vault.
  vault-del            Delete a vault.
  vault-find           Search for vaults.
  vault-mod            Modify a vault.
  vault-remove-member  Remove members from a vault.
  vault-remove-owner   Remove owners from a vault.
  vault-retrieve       Retrieve a data from a vault.
  vault-show           Display information about a vault.
  vaultconfig-show     Show vault configuration.

To get command help, use:
  ipa <command> --help


[root@master /]#  ipa vault-add --type=symmetric --password="Test12345" testvault
-----------------------
Added vault "testvault"
-----------------------
  Vault name: testvault
  Type: symmetric
  Salt: v8nxYSOo2sQE4XkfxcdStw==
  Owner users: admin
  Vault user: admin

[root@master /]# ipa vault-archive testvault --password="Test12345" --data=$(echo "My Secret"|base64)
------------------------------------
Archived data into vault "testvault"
------------------------------------


[root@master /]# ipa vault-retrieve testvault --password="Test12345" --out=/tmp/testvault.out
-------------------------------------
Retrieved data from vault "testvault"
-------------------------------------

[root@master /]# cat /tmp/testvault.out
My Secret

Comment 21 errata-xmlrpc 2015-11-19 12:02:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.