[DEFAULT] # Show debugging output in logs (sets DEBUG log level output) #debug = True # Address to bind the API server bind_host = 0.0.0.0 # Port to bind the API server to bind_port = 9311 # Host name, for use in HATEOAS-style references # Note: Typically this would be the load balanced endpoint that clients would use # communicate back with this service. # If a deployment wants to derive host from wsgi request instead then make this # blank. Blank is needed to override default config value which is # 'http://localhost:9311'. host_href = http://localhost:9311 # Log to this file. Make sure you do not set the same log # file for both the API and registry servers! #log_file = /var/log/barbican/api.log # Backlog requests when creating socket backlog = 4096 # TCP_KEEPIDLE value in seconds when creating socket. # Not supported on OS X. #tcp_keepidle = 600 # Maximum allowed http request size against the barbican-api max_allowed_secret_in_bytes = 10000 max_allowed_request_size_in_bytes = 1000000 # SQLAlchemy connection string for the reference implementation # registry server. Any valid SQLAlchemy connection string is fine. # See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine # Uncomment this for local dev, putting db in project directory: #sql_connection = sqlite:///barbican.sqlite # Note: For absolute addresses, use '////' slashes after 'sqlite:' # Uncomment for a more global development environment sql_connection = sqlite:////var/lib/barbican/barbican.sqlite # Period in seconds after which SQLAlchemy should reestablish its connection # to the database. # # MySQL uses a default `wait_timeout` of 8 hours, after which it will drop # idle connections. This can result in 'MySQL Gone Away' exceptions. If you # notice this, you can lower this value to ensure that SQLAlchemy reconnects # before MySQL can drop the connection. sql_idle_timeout = 3600 # Accepts a class imported from the sqlalchemy.pool module, and handles the # details of building the pool for you. If commented out, SQLAlchemy # will select based on the database dialect. Other options are QueuePool # (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy # management of connections). # See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details. #sql_pool_class = QueuePool # Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level # output) if specified. #sql_pool_logging = True # Size of pool used by SQLAlchemy. This is the largest number of connections # that will be kept persistently in the pool. Can be set to 0 to indicate no # size limit. To disable pooling, use a NullPool with sql_pool_class instead. # Comment out to allow SQLAlchemy to select the default. #sql_pool_size = 5 # The maximum overflow size of the pool used by SQLAlchemy. When the number of # checked-out connections reaches the size set in sql_pool_size, additional # connections will be returned up to this limit. It follows then that the # total number of simultaneous connections the pool will allow is # sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no # overflow limit, so no limit will be placed on the total number of concurrent # connections. Comment out to allow SQLAlchemy to select the default. #sql_pool_max_overflow = 10 # Default page size for the 'limit' paging URL parameter. default_limit_paging = 10 # Maximum page size for the 'limit' paging URL parameter. max_limit_paging = 100 # Role used to identify an authenticated user as administrator #admin_role = admin # Allow unauthenticated users to access the API with read-only # privileges. This only applies when using ContextMiddleware. #allow_anonymous_access = False # Allow access to version 1 of barbican api #enable_v1_api = True # Allow access to version 2 of barbican api #enable_v2_api = True # ================= SSL Options =============================== # Certificate file to use when starting API server securely #cert_file = /path/to/certfile # Private key file to use when starting API server securely #key_file = /path/to/keyfile # CA certificate file to use to verify connecting clients #ca_file = /path/to/cafile # ================= Security Options ========================== # AES key for encrypting store 'location' metadata, including # -- if used -- Swift or S3 credentials # Should be set to a random string of length 16, 24 or 32 bytes #metadata_encryption_key = <16, 24 or 32 char registry metadata key> # ================= Queue Options - oslo.messaging ========================== [oslo_messaging_rabbit] # Rabbit and HA configuration: amqp_durable_queues = True rabbit_userid=guest rabbit_password=guest rabbit_ha_queues = True rabbit_port=5672 # For HA, specify queue nodes in cluster, comma delimited: # For example: rabbit_hosts=192.168.50.8:5672, 192.168.50.9:5672 rabbit_hosts=localhost:5672 # For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset': # For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/ # DO NOT USE THIS, due to '# FIXME(markmc): support multiple hosts' in oslo/messaging/_drivers/amqpdriver.py # transport_url = rabbit://guest@localhost:5672/ [oslo_messaging_notifications] # oslo notification driver for sending audit events via audit middleware. # Meaningful only when middleware is enabled in barbican paste ini file. # This is oslo config MultiStrOpt so can be defined multiple times in case # there is need to route audit event to messaging as well as log. # driver = messagingv2 # driver = log # ======== OpenStack policy - oslo_policy =============== [oslo_policy] # ======== OpenStack policy integration # JSON file representing policy (string value) policy_file=/etc/barbican/policy.json # Rule checked when requested rule is not found (string value) policy_default_rule=default # ================= Queue Options - Application ========================== [queue] # Enable queuing asynchronous messaging. # Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode) enable = False # Namespace for the queue namespace = 'barbican' # Topic for the queue topic = 'barbican.workers' # Version for the task API version = '1.1' # Server name for RPC service server_name = 'barbican.queue' # Number of asynchronous worker processes. # When greater than 1, then that many additional worker processes are # created for asynchronous worker functionality. asynchronous_workers = 1 # ================= Retry/Scheduler Options ========================== [retry_scheduler] # Seconds (float) to wait between starting retry scheduler initial_delay_seconds = 10.0 # Seconds (float) to wait between starting retry scheduler periodic_interval_max_seconds = 10.0 # ====================== Quota Options =============================== [quotas] # For each resource, the default maximum number that can be used for # a project is set below. This value can be overridden for each # project through the API. A negative value means no limit. A zero # value effectively disables the resource. # default number of secrets allowed per project quota_secrets = -1 # default number of orders allowed per project quota_orders = -1 # default number of containers allowed per project quota_containers = -1 # default number of consumers allowed per project quota_consumers = -1 # default number of CAs allowed per project quota_cas = -1 # ================= Keystone Notification Options - Application =============== [keystone_notifications] # Keystone notification functionality uses transport related configuration # from barbican common configuration as defined under # 'Queue Options - oslo.messaging' comments. # The HA related configuration is also shared with notification server. # True enables keystone notification listener functionality. enable = False # The default exchange under which topics are scoped. # May be overridden by an exchange name specified in the transport_url option. control_exchange = 'openstack' # Keystone notification queue topic name. # This name needs to match one of values mentioned in Keystone deployment's # 'notification_topics' configuration e.g. # notification_topics=notifications, barbican_notifications # Multiple servers may listen on a topic and messages will be dispatched to one # of the servers in a round-robin fashion. That's why Barbican service should # have its own dedicated notification queue so that it receives all of Keystone # notifications. topic = 'notifications' # True enables requeue feature in case of notification processing error. # Enable this only when underlying transport supports this feature. allow_requeue = False # Version of tasks invoked via notifications version = '1.0' # Define the number of max threads to be used for notification server # processing functionality. thread_pool_size = 10 # ================= Secret Store Plugin =================== [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = simple_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' # User friendly plugin name # plugin_name = 'Software Only Crypto' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' ca_expiration_time = 1 plugin_working_dir = '/etc/barbican/dogtag' # User friendly plugin name # plugin_name = 'Dogtag KRA' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'mypassword' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'an_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'my_hmac_label' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 # slot_id = 1 # Enable Read/Write session with the HSM? # rw_session = True # Length of Project KEKs to create # pkek_length = 32 # How long to cache unwrapped Project KEKs # pkek_cache_ttl = 900 # Max number of items in pkek cache # pkek_cache_limit = 100 # User friendly plugin name # plugin_name = 'PKCS11 HSM' # ================== KMIP plugin ===================== [kmip_plugin] username = 'admin' password = 'password' host = localhost port = 5696 keyfile = '/path/to/certs/cert.key' certfile = '/path/to/certs/cert.crt' ca_certs = '/path/to/certs/LocalCA.crt' # User friendly plugin name # plugin_name = 'KMIP HSM' # ================= Certificate plugin =================== [certificate] namespace = barbican.certificate.plugin enabled_certificate_plugins = simple_certificate enabled_certificate_plugins = snakeoil_ca [certificate_event] namespace = barbican.certificate.event.plugin enabled_certificate_event_plugins = simple_certificate_event [snakeoil_ca_plugin] ca_cert_path = /etc/barbican/snakeoil-ca.crt ca_cert_key_path = /etc/barbican/snakeoil-ca.key ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b subca_cert_key_directory=/etc/barbican/snakeoil-cas [cors] # # From oslo.middleware.cors # # Indicate whether this resource may be shared with the domain # received in the requests "origin" header. (list value) #allowed_origin = # Indicate that the actual request can include user credentials # (boolean value) #allow_credentials = true # Indicate which headers are safe to expose to the API. Defaults to # HTTP Simple Headers. (list value) #expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles # Maximum cache age of CORS preflight requests. (integer value) #max_age = 3600 # Indicate which methods can be used during the actual request. (list # value) #allow_methods = GET,PUT,POST,DELETE,PATCH # Indicate which header field names may be used during the actual # request. (list value) #allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles [cors.subdomain] # # From oslo.middleware.cors # # Indicate whether this resource may be shared with the domain # received in the requests "origin" header. (list value) #allowed_origin = # Indicate that the actual request can include user credentials # (boolean value) #allow_credentials = true # Indicate which headers are safe to expose to the API. Defaults to # HTTP Simple Headers. (list value) #expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles # Maximum cache age of CORS preflight requests. (integer value) #max_age = 3600 # Indicate which methods can be used during the actual request. (list # value) #allow_methods = GET,PUT,POST,DELETE,PATCH # Indicate which header field names may be used during the actual # request. (list value) #allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles [oslo_middleware] # # From oslo.middleware.http_proxy_to_wsgi # # Wether the application is behind a proxy or not. This determines if # the middleware should parse the headers or not. (boolean value) #enable_proxy_headers_parsing = false