Traffic Vault Administration

Installing Traffic Vault

In order to successfully store private keys you will need to install Riak. The latest version of Riak can be downloaded on the Riak website. The installation instructions for Riak can be found here.

Based on experience, version 2.0.5 of Riak is recommended, but the latest version should suffice.

Configuring Traffic Vault

The following steps were taken to configure Riak in Comcast production environments.

Self Signed Certificate configuration


Self Signed Certificates are not recommended for production use. Intended for dev or learning purposes only. Modify subject as necessary.

Self-Signed Certificate Configuration
    cd ~
    mkdir certs
    cd certs
    openssl genrsa -out ca-bundle.key 2048
    openssl req -new -key ca-bundle.key -out ca-bundle.csr -subj "/C=US/ST=CO/L=DEN/O=somecompany/OU=CDN/"
    openssl x509 -req -days 365 -in ca-bundle.csr -signkey ca-bundle.key -out ca-bundle.crt
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -out server.csr -subj "/C=US/ST=CO/L=DEN/O=somecompany/OU=CDN/"
    openssl x509 -req -days 365 -in server.csr -CA ca-bundle.crt -CAkey ca-bundle.key -CAcreateserial -out server.crt
    mkdir /etc/riak/certs
    mv -f server.crt /etc/riak/certs/.
    mv -f server.key /etc/riak/certs/.
    mv -f ca-bundle.crt /etc/pki/tls/certs/.

Riak configuration file configuration

The following steps need to be performed on each Riak server in the cluster:

  • Log into Riak server as root
  • cd /etc/riak/
  • Update the following in riak.conf to reflect your IP, hostname and CDN domains/sub-domains:
    • nodename =
    • listener.http.internal = (port can be 80 - This endpoint will not work with sec enabled)
    • listener.protobuf.internal = (can be different port if you want)
    • listener.https.internal = (port can be 443)
  • Updated the following conf file to point to your cert files
    • ssl.certfile = /etc/riak/certs/server.crt
    • ssl.keyfile = /etc/riak/certs/server.key
    • ssl.cacertfile = /etc/pki/tls/certs/ca-bundle.crt
  • Add a line at the bottom of the configuration file for TLSv1
    • tls_protocols.tlsv1 = on
  • Once the configuration file has been updated restart Riak
    • /etc/init.d/riak restart
  • Validate server is running by going to the following URL:
    • https://<serverHostname>:8088/ping

riak-admin configuration

riak-admin is a command line utility that needs to be run as root on a server in the Riak cluster.

  • Riak 2.0.2 or greater is installed
  • SSL Certificates have been generated (signed or self-signed)
  • Root access to Riak servers
Add admin user and riakuser to Riak
  • admin user will be a super user
  • riakuser will be the application user

Login to one of the riak servers in the cluster as root (any will do)

  1. Enable security

    riak-admin security enable

  2. Add groups

    riak-admin security add-group admins

    riak-admin security add-group keysusers

  3. Add users


    User name and password should be stored in /opt/traffic_ops/app/conf/<environment>/riak.conf

    riak-admin security add-user admin password=<AdminPassword> groups=admins

    riak-admin security add-user riakuser password=<RiakUserPassword> groups=keysusers

  4. Grant access for admin and riakuser

    riak-admin security add-source riakuser password

    riak-admin security add-source admin password

  5. Grant privileges to the admins group for everything

    riak-admin security grant riak_kv.list_buckets,riak_kv.list_keys,riak_kv.get,riak_kv.put,riak_kv.delete on any to admins

  6. Grant privileges to keysusers group for SSL, DNSSEC, and url_sig_keys buckets only

    riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default ssl to keysusers

    riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default dnssec to keysusers

    riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default url_sig_keys to keysusers

    riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default cdn_uri_sig_keys to keysusers

See also

For more information on security in Riak, see the Riak Security documentation.

See also

For more information on authentication and authorization in Riak, see the Riak Authentication and Authorization documentation.

Traffic Ops Configuration

There are a couple configurations that are necessary in Traffic Ops.

  1. Database Updates
    • The servers in the Riak cluster need to be added to the server table (TCP Port = 8088, type = RIAK, profile = RIAK_ALL)
  2. Configuration updates
    • /opt/traffic_ops/app/conf/<environment>/riak.conf needs to be updated to reflect the correct username and password for accessing riak.