OneOps Secrets Proxy

A secure proxy service for managing OneOps secrets.

OneOps Secrets-Proxy Keystores

The following Trust-stores/Keystores are used in Secrets-proxy application.

• keywhiz_proxy_keystore.p12

  The default TLS server certificate for Keywhiz-Proxy application. This is a self-signed TLS cert with the following details.

  • Common Name : keywhiz-proxy.dev.oneops.com
  • Key Password : kwproxy-password
  • Store Password : kwproxy-password

   For production deployment, contact your infosec team to get new TLS server certificate.
  

• keywhiz_keystore.p12

  The keywhiz automation mTLS client certificate. Used for all the keywhiz server automation API calls. Make sure the client has been registered and automationAllowed=true on the keywhiz server. The client cert has to be trusted by the same RootCA used on Keywhiz server.

  For production deployment, contact your infosec/keywhiz server team to get new TLS client certificate.
  

• keywhiz_truststore.p12

  The keywhiz server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for all the keywhiz server admin/automation API calls.

   For production deployment, use openssl to create trustore of your keywhiz server.
  

  or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

• ldap_truststore.p12

  Your LDAP/AD server trust-store, containing the trusted CA (Certificate Authorities) certs or cert chains. Used for AD/LDAP user authentication APIs.

   For production deployment, use openssl to create trustore of your AD/LDAP server.
  

  or you can use tool like InstallCerts to auto-generate trust-store from the TLS endpoint.

Docker

• Build the image

   $ ./mvnw clean package
   $ docker build -t secrets-proxy:1.1.0 .
  

• Run

   $ docker run -it --rm --name secrets-proxy -p 8443:8443  -e name=Secrets-Proxy -d secrets-proxy:1.1.0
   $ open https://localhost:8443/
  

• Debugging and Logs

  $ docker exec -it secrets-proxy sh
  # cd log/
  /log # ls -ltrh
  total 64
  drwxr-xr-x    2 root     root        4.0K Aug  9 21:50 audit
  drwxr-xr-x    2 root     root        4.0K Aug  9 21:50 access
  -rw-r--r--    1 root     root       54.0K Aug  9 21:51 keywhiz-proxy.log
  

  set -o allexport
  source conf-file
  set +o allexport
  

Generate JOOQ source.

 $ ./mvnw clean package -P generate
 # $ ./mvnw versions:display-dependency-updates

Misc

• Secrets Tools - https://github.com/oneops/secrets-proxy/releases/tag/tools
• JWT Token Verification - https://jwt.io/
• REST API References

TODO

• Move the automation client to Retrofit.
• X509 Authentication ??
• Update to the latest keysync.
• Feature toggles implementation.
• Http2/Grpc (May be with JDK 9)
• JTI claim to maintain list of blacklisted or revoked tokens.
• Springboot admin integration.

Why we chose Spring Boot

• https://twitter.com/springcentral/status/878264199729860608
• https://twitter.com/fintanr/status/877988573399531520
• https://www.jetbrains.com/research/devecosystem-2017/java/ (Check the Web framework section)

---

^**Require Java 8 or later