Traffic Vault Administration¶
Installing Traffic Vault¶
In order to successfully store private keys you will need to install Riak. The latest version of Riak can be downloaded on the Riak website. The installation instructions for Riak can be found here.
Production is currently running version 2.0.5 of Riak, but the latest version should suffice.
Configuring Traffic Vault¶
The following steps were taken to configure Riak in our environments.
Riak configuration file configuration¶
The following steps need to be performed on each Riak server in the cluster:
- Log into riak server as root
- cd to /etc/riak/
- Update the following in riak.conf to reflect your IP:
- nodename = riak@a-host.sys.kabletown.net
- listener.http.internal = a-host.sys.kabletown.net:8098 (can be 80 - This endpoint will not work with sec enabled)
- listener.protobuf.internal = a-host.sys.kabletown.net:8087 (can be different port if you want)
- listener.https.internal = a-host.sys.kabletown.net:8088 (can be 443)
- Updated the following conf file to point to your cert files
- ssl.certfile = /etc/riak/certs/server.crt
- ssl.keyfile = /etc/riak/certs/server.key
- ssl.cacertfile = /etc/pki/tls/certs/ca-bundle.crt
- Add a line at the bottom of the config for tlsv1
- tls_protocols.tlsv1 = on
- Once the config file has been updated restart riak
/etc/init.d/riak restart
- Validate server is running by going to the following URL:
- https://<serverHostname>:8088/ping
Riak-admin configuration¶
Riak-admin is a command line utility that needs to be run as root on a server in the riak cluster.
- Assumptions:
- Riak 2.0.2 or greater is installed
- SSL Certificates have been generated (signed or self-signed)
- Root access to riak servers
- Add admin user and riakuser to riak
- Admin user will be a super user
- Riakuser will be the application user
Login to one of the riak servers in the cluster as root (any will do)
Enable security
riak-admin security enable
Add groups
riak-admin security add-group admins
riak-admin security add-group keysusers
Add users
Note
username and password should be stored in /opt/traffic_ops/app/conf/<environment>/riak.conf
riak-admin security add-user admin password=<AdminPassword> groups=admins
riak-admin security add-user riakuser password=<RiakUserPassword> groups=keysusers
Grant access for admin and riakuser
riak-admin security add-source riakuser 0.0.0.0/0 password
riak-admin security add-source admin 0.0.0.0/0 password
Grant privs to admins for everything
riak-admin security grant riak_kv.list_buckets,riak_kv.list_keys,riak_kv.get,riak_kv.put,riak_kv.delete on any to admins
Grant privs to keysuser for ssl, dnssec, and url_sig_keys buckets only
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default ssl to keysusers
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default dnssec to keysusers
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default url_sig_keys to keysusers
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default cdn_uri_sig_keys to keysusers
See also
For more information on security in Riak, see the Riak Security documentation.
See also
For more information on authentication and authorization in Riak, see the Riak Authentication and Authorization documentation.
Traffic Ops Configuration¶
There are a couple configurations that are necessary in Traffic Ops.
- Database Updates
- A new profile for Riak needs to be added to the profile table
- A new type of Riak needs to be added to the type table
- The servers in the Riak cluster need to be added to the server table
Note
profile and type data should be pre-loaded by seeds sql script.
- Configuration updates
- /opt/traffic_ops/app/conf/<environment>/riak.conf needs to be updated to reflect the correct username and password for accessing riak.
Configuring Riak Search¶
In order to more effectively support retrieval of SSL certificates by Traffic Router and Traffic Ops ORT, Traffic Vault uses Riak search. Riak Search uses Apache Solr for indexing and searching of records. The following explains how to enable, configure, and validate Riak Search.
Riak Configuration¶
On Each Riak Server:
- If java is not already installed on your Riak server, install Java
- To see if Java is already installed:
java -version
- To install Java:
yum install -y jdk
- To see if Java is already installed:
- enable search in riak.conf
vim /etc/riak/riak.conf
- look for search and change
search = off
tosearch = on
- Restart Riak so search is on
service riak restart
One time configuration:
- On one of the Riak servers in the cluster run the following riak-admin commands
riak-admin security grant search.admin on schema to admin
riak-admin security grant search.admin on index to admin
riak-admin security grant search.query on index to admin
riak-admin security grant search.query on index sslkeys to admin
riak-admin security grant search.query on index to riakuser
riak-admin security grant search.query on index sslkeys to riakuser
riak-admin security grant riak_core.set_bucket on any to admin
- Add the search schema to Riak. This schema is a simple Apache Solr configuration file which will index all records on cdn, hostname, and deliveryservice.
- Get the schema file by either cloning the project and going to traffic_ops/app/config/misc/riak_search or from github.
- Use curl to add the schema to riak:
curl -kvs -XPUT "https://admin:pass@riakserver:8088/search/schema/sslkeys" -H 'Content-Type:application/xml' -d @sslkeys.xml
- Add search index to Riak
- run the following curl command:
curl -kvs -XPUT "https://admin:pass@riakserver:8088/search/index/sslkeys" -H 'Content-Type: application/json' -d '{"schema":"sslkeys"}'
- run the following curl command:
- Associate the sslkeys index to the ssl bucket in Riak
- run the following curl command:
curl -kvs -XPUT "https://admin:pass@riakserver:8088/buckets/ssl/props" -H'content-type:application/json' -d'{"props":{"search_index":"sslkeys"}}'
- run the following curl command:
Riak Search (using Apache Solr) will now index all NEW records that are added to the “ssl” bucket. The cdn, deliveryservice, and hostname fields are indexed and when a search is performed riak will return the indexed fields along with the crt and key values for a ssl record. In order to add the indexed fields to current records and to get the current records added, a standalone script needs to be run. The following explains how to run the script.
- Get script from github either by cloning the project and going to traffic_ops/app/script or from here
- Run the script by performing the following command
./update_riak_for_search.pl -to_url=https://traffic-ops.kabletown.net -to_un=user -to_pw=password
Validate the search is working by querying against Riak directly:
curl -kvs "https://admin:password@riakserver:8088/search/query/sslkeys?wt=json&q=cdn:mycdn"
Validation can also be done by querying Traffic Ops:
curl -Lvs -H "Cookie: $COOKIE" https://traffic-ops.kabletown.net/api/1.2/cdns/name/mycdn/sslkeys.json