Java and Certmonger
Earlier this week, I got some advice from John Dennis on how to set up the certificates for a Java based web application. The certificates were to be issued by the Dogtag instance in a Red Hat Identity...
View ArticleCertmonger, SELinux and Keystores in random locations
In my last post, SELinux was reporting AVCs when certmonger tried to access an NSS Database in a non-standard location. To get rid of the AVC, and get SELinx to allow the operations, we need to deal...
View ArticleJava and Certmonger Continued
Now that I know that I can do things like read the Keys from a Programmatic registered provider and properly set up SELinux to deal with it, I want to see if I can make this work for a pre-compiled...
View ArticleJava on Port 443
I’ve been working on setting up a Java based SAML provider. This means that the application needs to handle request and response over HTTPS. And, since often this is deployed in data centers where...
View ArticleOpenStack Role Assignment Inheritance for CloudForms
Operators expect to use CloudForms to perform administrative tasks. For this reason, the documentation for OpenStack states that the Keystone user must have an ‘admin’ role. We found at least one case,...
View ArticleEnable Logging for root Certmonger
While trying to debug an Ansible module calling Certmonger, I found myself afoul of some mistake I could not quite trace. Certmonger was having trouble reading the key to generate the certificate. But...
View ArticleInspecting Keystone Routes
What Policy is enforced when you call a Keystone API? Right now, there is no definitive way to say. However, with some programmatic help, we might be able to figure it out from the source code. Lets...
View ArticleClik here to view.
Generating a Callgraph for Keystone
Once I know a starting point for a call, I want to track the other functions that it calls. pycallgraph will generate an image that shows me that. All this is done inside the virtual env set up by tox...
View ArticleManaging CloudForms’ Certificates with certmonger
When you enroll CloudForms with an IdM Server, you do not automatically get the HTTPS certificates from that server. It takes a deliberate additional step to do so. Since I am using Ansible to...
View ArticleGenerating a list of URL patterns for OpenStack services.
Last year at the Boston OpenStack summit, I presented on an Idea of using URL patterns to enforce RBAC. While this idea is on hold for the time being, a related approach is moving forward building on...
View ArticleLaunching Custom Image VMs on Azure With Anisble
Part of my Job is making sure our customers can run our software in Public clouds. Recently, I was able to get CloudForms Management Engine (CFME) to deploy to Azure. Once I got it done manually, I...
View ArticleAnsible, Azure, and Managed Disks
Many applications have a data directory, usually due to having an embedded database. For the set I work with, this includes Red Hat IdM/FreeIPA, CloudForms/ManageIQ, Ansible Tower/AWX, and...
View ArticleClik here to view.
Home made Matzo
Sufficient quantities to afflict everyone. Recipe found from the story here.
View ArticleRecursive DNS and FreeIPA
DNS is essential to Kerberos. Kerberos Identity for servers is based around host names, and if you don’t have a common view between client and server, you will not be able to access your remote...
View ArticleComparing Istio and Keystone Middleware
One way to learn a new technology is to compare it to what you already know. I’ve heard a lot about Istio, and I don’t really grok it yet, so this post is my attempt to get the ideas solid in my own...
View ArticleComparing Keystone and Istio RBAC
To continue with my previous investigation to Istio, and to continue the comparison with the comparable parts of OpenStack, I want to dig deeper into how Istio performs RBAC. Specifically, I would love...
View ArticleClik here to view.
Minicom to a Juniper SRX-220
Cluster computing requires a cluster of computers. For the past several years, I have been attempting to get work down without having a home cluster. This is no longer tenable, and I need to build my...
View ArticleClik here to view.
Tracking Quota
This OpenStack summit marks the third that I have attended where we’ve discussed the algorithms to try and record quota in Keystone but not update it on each resource allocation and free. We were...
View ArticlePasswordless access to System libvirt on Fedora 28
I can connect to the system libvirtd on my system without password. I set this up some time ago, and forgot how, so figured I would document it. TO check that I can connect via virsh to the libvirst...
View ArticleCommand line VPN connection
I need to connect to my office via VPN. Fedora has a point and click interface, but I am trying to minimize mouse usage. So, instead I have a small bash function that does it for me. I has an OTP that...
View Article
