Traffic Vault Administration

Installing Traffic Vault

In order to successfully store private keys you will need to install Riak. The latest version of Riak can be downloaded on the Riak website. The installation instructions for Riak can be found here. Based on experience, version 2.0.5 of Riak is recommended, but the latest version should suffice.

Configuring Traffic Vault

The following steps were taken to configure Riak in Comcast production environments.

Self Signed Certificate configuration

Note

Self-signed certificates are not recommended for production use. Intended for development or learning purposes only. Modify subject as necessary.

#43 Self-Signed Certificate Configuration
    cd ~
    mkdir certs
    cd certs
    openssl genrsa -out ca-bundle.key 2048
    openssl req -new -key ca-bundle.key -out ca-bundle.csr -subj "/C=US/ST=CO/L=DEN/O=somecompany/OU=CDN/CN=somecompany.net/emailAddress=someuser@somecompany.net"
    openssl x509 -req -days 365 -in ca-bundle.csr -signkey ca-bundle.key -out ca-bundle.crt
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -out server.csr -subj "/C=US/ST=CO/L=DEN/O=somecompany/OU=CDN/CN=somecompany.net/emailAddress=someuser@somecompany.net"
    openssl x509 -req -days 365 -in server.csr -CA ca-bundle.crt -CAkey ca-bundle.key -CAcreateserial -out server.crt
    mkdir /etc/riak/certs
    mv -f server.crt /etc/riak/certs/.
    mv -f server.key /etc/riak/certs/.
    mv -f ca-bundle.crt /etc/pki/tls/certs/.

Riak Configuration File

The following steps need to be performed on each Riak server in the cluster:

  1. Log into Riak server as root

  2. Update the following in riak.conf to reflect your IP, hostname, and CDN domains and sub-domains:

    • nodename = riak@a-host.sys.kabletown.net
    • listener.http.internal = a-host.sys.kabletown.net:8098 (port can be 80 - This endpoint will not work over HTTPS)
    • listener.protobuf.internal = a-host.sys.kabletown.net:8087 (can be different port if you want)
    • listener.https.internal = a-host.sys.kabletown.net:8088 (port can be 443)
  3. Update the following in riak.conf file to point to your SSL certificate files

    • ssl.certfile = /etc/riak/certs/server.crt
    • ssl.keyfile = /etc/riak/certs/server.key
    • ssl.cacertfile = /etc/pki/tls/certs/ca-bundle.crt
  4. Add a line at the bottom of the riak.conf for TLSv1 by setting tls_protocols.tlsv1 = on

  5. Once the configuration file has been updated restart Riak

  6. Consult the Riak documentation for instructions on how to verify the installed service

riak-admin Configuration

riak-admin is a command line utility used to configure Riak that needs to be run as root on a server in the Riak cluster.

#44 Traffic Vault Setup with riak-admin
# This script need only be run on any *one* Riak server in the cluster

# Enable security and secure access groups
riak-admin security enable
riak-admin security add-group admins
riak-admin security add-group keysusers

# User name and password should be stored in
# /opt/traffic_ops/app/conf/<environment>/riak.conf on the Traffic Ops
# server
# In this example, we assume the usernames 'admin' and 'riakuser' with
# respective passwords stored in the ADMIN_PASSWORD and RIAK_USER_PASSWORD
# environment variables
riak-admin security add-user admin password=$ADMIN_PASSWORD groups=admins
riak-admin security add-user riakuser password=$RIAK_USER_PASSWORD groups=keysusers
riak-admin security add-source riakuser 0.0.0.0/0 password
riak-admin security add-source admin 0.0.0.0/0 password

# Grant privileges to the admins group for everything
riak-admin security grant riak_kv.list_buckets,riak_kv.list_keys,riak_kv.get,riak_kv.put,riak_kv.delete on any to admins

# Grant privileges to keysusers group for SSL, DNSSEC, and url_sig_keys buckets only
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default ssl to keysusers
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default dnssec to keysusers
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default url_sig_keys to keysusers
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete on default cdn_uri_sig_keys to keysusers

See also

For more information on security in Riak, see the Riak Security documentation.

See also

For more information on authentication and authorization in Riak, see the Riak Authentication and Authorization documentation.

Traffic Ops Configuration

Before a fully set-up Traffic Vault instance may be used, it must be added as a server to Traffic Ops. The easiest way to accomplish this is via Traffic Portal at Configure ‣ Servers, though servers may also be used by low-level tools and/or scripts. The Traffic Ops configuration file /opt/traffic_ops/app/conf/environment/riak.conf for the appropriate environment must also be updated to reflect the correct username and password for accessing the Riak database.